I'm currently setting up PrinterLogic for the first time and ran into something puzzling. When I deploy a TCP/IP printer to a computer, if a user is logged in at that moment, they are granted "manage this printer" rights on the print queue. This allows them to change or even delete the queue entirely, which seems problematic. I know there's a setting to sync the printer settings to override this, but that only refreshes every four hours and feels far from ideal. If no one is logged in during the installation, permissions are set correctly. Has anyone else in the PrinterLogic community experienced this issue?
3 Answers
This sounds like a bug. I’m using PrinterLogic but only mapping to users, not computers, and I haven’t encountered this issue. It definitely seems weird that the logged-in user gets those permissions just because they’re there during installation.
What you're experiencing is actually how Windows works with user-created queues. When a printer adds through a logged-in user, that user gets full rights by design. Vasion could potentially avoid this by running the addPrinter method as the SYSTEM account instead. You might want to check the local spooler security settings to see what's in place when no user is logged in. It's perplexing that this hasn’t been flagged as an issue in more environments, though! I've had to create a daily remediation script to handle this monkey business. It's a bit frustrating for such an established product.
A quick fix might be to disable queue management completely in the admin console (Tools > Settings > Printing). Just a heads up, doing this will prevent secure printing and pull printing options from being used, which could be a drawback. We have around 7,500 users and generally haven't faced this issue, though.
I can relate to that frustration! It’s odd that this hasn’t been brought up in other setups. Hopefully, Vasion will address this soon, but until then, your script seems like a solid workaround.