Your company has just purchased and deployed a high-end full-color printer and a high-speed black-and-white publishing center that can print, bind and sort 20 copies of 500 pages each in less than 10 minutes. After the first month, you discover that your printing supply costs are astronomical. A quick audit of the activity on the printer reveals that many users are printing personal or non-essential items to the color printer and accidentally...
printing 20 bound copies of reports when they only needed one.
After a memo declaring the new printers off-limits to everyone but the accounting and PR department, you realize that the only way to prevent abuse of the printers is to restrict access.
Active Directory provides a way to hide the printer from all non-authorized users. First, it requires that the authorized users be placed in a domain, site or OU without any other unauthorized printer users. Next, create a group policy for that container. In this GPO, open the Printers section of the Administrative Templates in the Computer Configuration section. Set the Allow Printers to be Published option to Enable.
Next, change this same control on all other GPOs to Disable. Finally, rename the printer shares for the new printers.
It should be obvious that this exercise will simply hide the shared printer name so no one outside the specific container where the enable GPO is applied can see the printer name. You should always define permissions on the printer share to only those users who are authorized to use it. That way you can foil the efforts of those savvy users who figure out the new correct UNC name for the printer share and attempt to map to it.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.