New book: MCITP Self-Paced Training Kit (Exam 70-646): Windows Server 2008 Server Administrator (2nd Edition)

649095cvr.inddWe’re pleased to announce that MCITP Self-Paced Training Kit (Exam 70-646): Windows Server® 2008 Server Administrator (2nd Edition) (ISBN 9780735649095; 752 pages) is available for purchase here, here, and here.

Fully updated for Windows Server 2008 R2, this 2-in-1 Training Kit delivers preparation plus practice for MCITP Exam 70-646. Ace your exam prep—and build job skills—with hands-on lessons, practice tests, and other resources.

Windows Server 2008 R2 builds on the award-winning foundation of Windows Server 2008, expanding existing technology and adding new features to enable organizations to increase the reliability and flexibility of their server infrastructures. New virtualization tools, Web resources, management enhancements, and exciting Windows 7 integration help save time, reduce costs, and provide a platform for a dynamic and efficiently managed data center. Powerful tools such as Internet Information Services (IIS) version 7.5, updated Server Manager and Hyper-V™ platforms and Windows PowerShell® version 2.0 combine to give customers greater control, increased efficiency, and the ability to react to front-line business needs faster than ever before.

A server administrator is responsible for the operations and day-to-day management of an infrastructure of Windows Server 2008 R2 servers for an enterprise organization. Windows server administrators manage the infrastructure, Web, and IT application servers. MCITP candidates are IT professionals capable of deploying, building, designing, optimizing, and operating technologies for a particular job role. They make the design and technology decisions necessary to ensure successful technology implementation projects.

 

Contents at a Glance

Introduction
CHAPTER 1 Installing, Upgrading, and Deploying Windows Server 2008 R2
CHAPTER 2 Infrastructure Services Planning
CHAPTER 3 Planning Core Active Directory Infrastructure
CHAPTER 4 Group Policy Strategies
CHAPTER 5 Planning Server Administration
CHAPTER 6 Presentation and Application Virtualization
CHAPTER 7 Provisioning File and Print Servers
CHAPTER 8 Planning Security Policies
CHAPTER 9 Remote Access and Network Access Protection
CHAPTER 10 Provision Data and Plan Storage
CHAPTER 11 Clustering and High Availability
CHAPTER 12 Performance Evaluation and Optimization
CHAPTER 13 Backup and Recovery
Appendix Setup Instructions for Exercises and Labs
Answers
Index

 

Chapter 7: Provisioning File and Print Servers (Excerpt)

 

This chapter looks at the Print and Document Services and File Services server roles
and describes how you can plan to meet your organization’s printing, file storage, and
access security needs. It discusses printer publishing and availability and looks at access
permissions for both printers and files. The chapter covers file quotas and availability and
describes how you can plan the deployment of the BranchCache For Network Files feature
in both Distributed and Hosted Cache mode.

Exam objectives in this chapter:

  • Plan file and print server roles.

 

Lessons in this chapter:

 

  • Lesson 1: Planning Print Services Management 301
  • Lesson 2: Planning File Servers 320

Before You Begin

To complete the exercises in the practice session in this chapter, you need to have done the
following:

  • Installed a server called VAN-DC1 running Windows Server 2008 R2 Enterprise that
    is configured as a domain controller in the Adatum.com domain, as described in
    Exercise 1 of the Appendix, “Setup Instructions for Windows Server 2008 R2.”
  • Optionally installed a server called VAN-SRV1 running Windows Server 2008 R2
    Enterprise that is configured as a member server in the Adatum.com domain, as
    specified in Exercise 2 of the Appendix. This server is not required to carry out the
    practices in this chapter, but you may want to use it if you are trying out the new
    BranchCache For Network Files feature.
  • Created a user account in the Adatum.com domain with the user name Kim Akers
    and password Pa$$w0rd, and added this account to the Domain Admins, Enterprise
    Admins, and Schema Admins groups. This procedure is described in Exercise 1 of the
    Appendix.
  • We recommend that you use an isolated network that is not part of your production
    network to do the practice exercises in this book. Internet access is not required for the
    exercises, and you do not need to configure a default gateway. To minimize the time
    and expense of configuring physical computers, we recommend that you use virtual
    machines. For example, you can create virtual machines using the Hyper-V server role.

REAL WORLD

Ian McLean

In July 1993, Microsoft introduced the new technology file system (NTFS). This
was a remarkable development in its time. With its advent, folders and files could
be protected from interactive as well as network users, and protection could be
implemented at file level rather than folder level. I won’t go into the many other
developments that NTFS enabled—this isn’t a history book—but I know that I have
lost data on NTFS disks far less often than on FAT disks. However, NTFS was not unalloyed good news, particularly for a network engineer
(me) who was studying for his first MCSE at the time. NTFS introduced a level of
complexity in calculating user permissions that almost guaranteed examination
failure to those who couldn’t quite understand how permissions interacted,
particularly when the old No-Access permission was replaced by the more granular
Deny. Software was developed for determining resultant user permissions, but you can’t
take that into the examination room. My solution was much simpler. I drew three
rectangular boxes next to each other. I marked the right box “File,” the middle box
“Folder,” and the left box “Share.” Then I wrote in the NTFS permissions a user had on a file, and the permissions that
the same user had on the folder that contained the file. File overrides folder, so
I had my resultant NTFS permissions. If I were logged on locally, those were my
permissions on the folder. I wrote the shared folder permission into the Share box.
If I were accessing remotely, my permissions would be more restrictive between
share and resultant NTFS. I had worked out my user permission. I used this technique in exams and in my profession. When I became an MCT,
I taught it to my students, and rectangular boxes appeared on whiteboards
throughout the land. It’s a simple technique. Some have even called it dumb.

It works. Try it.

 

Lesson 1: Planning Print Services Management

As far as the users in your organization are concerned, one of the major functions they require from a computer network is the ability to print files easily and without fuss. You need to publish printers so that your users can print to them, while at the same time controlling the use of expensive printing assets. You need to plan your print infrastructure so that urgent print jobs are completed quickly while large, non-urgent print jobs are done outside normal working hours. This lesson looks at the Print and Document Services server role and how you manage availability and access permissions and publish printers.

After this lesson, you will be able to:

  • Install the Print and Document Services server role and install and manage printers and print drivers.
  • Manage printer access permissions and printer availability.

Estimated lesson time: 35 minutes

Planning the Print and Document Services Server Role

As an experienced administrator, you will almost certainly be familiar with administering printers and print devices. What is new in Windows Server 2008 R2 is that the Print Services server role, introduced in Windows Server 2008, is now the Print and Document Services server role. You need to install this server role on a server to create a print server. You will install this role in the practice later in this lesson. The Print Management console has been enhanced in Windows Server 2008 R2 and is described in this lesson.

The Print and Document Services server role lets you manage print servers and printers. If you configure a server running Windows Server 2008 R2 as a print server, you reduce administrative and management workload by centralizing printer management tasks through the Print Management console.

By default, installing the Print and Document Services server role installs the Print Server role service, which lets you share printers on a network and publish them to Active Directory Directory Services (AD DS). If you want, you can install the Line Printer Daemon (LPD), which lets you print to printers connected to a UNIX server; the Distributed Scan Server role service (new to Windows Server 2008 R2), which you use to communicate with scanners that support Web Services on Devices (WSD), run scan processes, route scanned documents, and log scan-related events; and Internet Print, which lets you use a web interface to connect to and manage printers.

NOTE PRINTERS AND PRINT DEVICES
A print device is a physical device that prints hard copy. A printer controls a print device. You can install several printers connected to a single print device and set different access permissions and schedules for different users. For example, if you have an expensive color print device, you might want to allow access to ordinary users only outside of normal working hours, but allow access at any time to the Managers security group. You can do this by creating two printers, both connected to the print device.

Planning the Print and Document Services server role involves analyzing current and required printing needs within an organization and configuring printer scheduling and access permissions. Do you have a department that sends very large but non-urgent jobs to a print device? In this case, you need to configure a printer that sends such jobs to a print device outside of office hours.

Does everyone in your organization need to print in color? If you give people the opportunity to print in color, they are likely to do so whether they need to or not. You cannot prevent users from habitually clicking Print several times whenever they want to print a document, or from printing out all their email messages. You can, however, set up auditing to detect high printer usage and identify those users with bad printing habits. As this book states in several places, an administrator needs to be able to solve people problems as well as technical problems.

Some of your planning decisions will be practical and pragmatic. It might be a good idea to have a print device with multiple input trays for special paper types, but it is probably a bad idea to use this device for general-purpose printing. A print device that stops and flashes an error message, thus blocking other jobs in the print queue, whenever a user specifies the wrong size of paper (which could happen easily and frequently) is also a bad choice for general printing needs. Also, you should consider using a printer pool—where a single printer controls several print devices—if you need to provide high availability of print devices.

Managing Printer Entities
If the Print and Document Services server role is installed on your server, you can manage the following entities:

  • Print queue A print queue is a representation of a print device. Opening a print queue displays the active print jobs and their status. If a print job at the head of the queue is not being processed (possibly because an incorrect paper size is specified), you can delete this job and allow the remainder of jobs in the queue to be processed.
  • Print spooler service A print server has a single print spooler service. This manages all the print jobs and print queues on that server. Typically, the print spooler service starts automatically. If, however, the service has stopped for any reason, you need to restart it. A symptom of this is a print job at the head of a queue that is not being processed but cannot be deleted.
  • Printer driver A print queue requires a printer driver to print to a print device. You need to ensure that the print driver exists on your print server, is working correctly, and is up to date.
  • Network printer port A printer driver uses a network printer port to communicate with a physical device across a network. These ports may, for example, be TCP/IP printer ports, Line Printer Remote (LPR) ports, or standard COM and LPT ports.
  • Print server cluster Printing is typically a mission-critical operation and you might choose to cluster your print servers to ensure high availability and failover support. Chapter 11, “Clustering and High Availability,” discusses cluster administration.

Publishing Printers

If you share a printer on a network but do not publish it in Active Directory, users then need to know its network path to use it. If you do publish the printer in Active Directory, it is easier to locate. If you decide to move a printer to another print server, you do not need to change the settings on clients—you only need to change its record in Active Directory.

If a printer is shared but not published, you can publish it by selecting the List In The Directory check box on the Sharing tab of the printer’s Properties dialog box, shown in Figure 7-1.

image
FIGURE 7-1 Publishing a printer

If you add a printer on a print server running Windows Server 2008 R2 and share it, the printer is published automatically, provided that the Group Policy settings called Automatically Publish New Printers In Active Directory and Allow Printers To Be Published
are enabled. Figure 7-2 shows the Allow Printers To Be Published setting. A published printer needs to be shared. If you stop sharing the printer, it is no longer published.

image
FIGURE 7-2 Allowing printers to be published

Using Windows Server 2008 R2 Print Enhancements
Windows Server 2008 R2 provides users with enhanced printer and Print and Documents Services server role performance through the use of XML Paper Specification (XPS) documents, print paths, and printer drivers. It provides improved Print Management tools and, in particular, enhances the Print Management console. It also provides built-in support for WSD. It enhances efficiency and reduces the processing load on the Print Server and Documents server by performing print rendering on clients.

XPS Documents
Windows Server 2008 R2 integrates XPS throughout the print subsystem. This provides an enhanced level of efficiency, compatibility, and document quality. The XPS Document format is based on a fixed-layout document technology. The Microsoft XPS and Open Packaging Conventions (OPC) define the format, and these specifications are built on industry standards, such as XML and ZIP.

The XPS Document format provides broad platform support and is standard with Windows
Vista. It is also supported by Microsoft .NET Framework 3.0 in Windows XP, Windows Vista,
Windows 7, and Windows Server 2003. Cross-platform solutions are made possible by
the open specifications. Many vendors of print and scan products are already developing
solutions around XPS technologies to take advantage of the performance available and
quality improvements to both .NET Framework 3.0 and Win32 applications.

XPSDrv printer drivers use a modular architecture that allows them to process documents
in the print queue more efficiently. Windows Server 2008 R2 XPSDrv printer drivers use an
architecture that extends the existing driver infrastructure with new features and capabilities
while retaining compatibility with existing printers and applications. The XPSDrv printer driver
architecture provides the following features:

  • It supports Windows Presentation Foundation (WPF) and is also compatible with
    Win32-based applications.

MORE INFO WPF
For more information about WPF, access
https://msdn.microsoft.com/en-us/library/ms754130.aspx and follow the links.
Be aware, however, that the examination is unlikely to ask in-depth questions on this topic.

    • It allows you to include custom filters that perform such functions as adding a

 

  • corporate watermark or implementing quota management and print job accounting.
  • It enables independent hardware vendors to share common functionalities between
    similar driver models. This can improve the reliability of driver components and
    enhance print server driver post-processing by supporting the reuse of common
    printer driver components.

The print architecture gives existing applications the ability to use features that can be
found only in the XPSDrv printer drivers. New applications that are written to use the .NET
Framework 3.0 and .NET Framework 3.5 can take advantage of all the features that are
offered throughout the print path.

XPSDrv printer drivers provide your users with better print quality. The drivers are not
limited to using only the graphics device interface (GDI) processing functions. This enables
them to process graphics in alternate color spaces and to use higher-performance graphics
libraries that were not available to the older, GDI-based printer drivers.

Print Paths
Windows Server 2008 R2 supports the XPS print paths that use the XPS Document format throughout the print path from the application to the printer. This makes it possible to achieve true WYSIWYG print output. Print paths in Windows Server 2008 R2 provide the following advantages:

  • They eliminate the file format conversions that are common with GDI-based printer drivers. This improves print performance and printed output quality, and helps reduce the overall size of spool files.
  • They provide support for advanced color spaces and technologies in the printer driver components.
  • They use 32-bit-per-channel color and CMYK color space. CMYK refers to the four inks used in some color printing: cyan, magenta, yellow, and key black.
  • They provide direct support for transparencies and gradients.
  • They implement conversion print paths to support existing applications and printer drivers.

 

The Print Management Console

Print and Document Services in Windows Server 2008 R2 enables you to share printers on a network and centralize print server and network printer management tasks by using the Print Management MMC snap-in. This console, shown in Figure 7-3, helps you monitor print queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy. You access the Print Management console by clicking Print Management on the Administrative Tools menu. Note that this tool is not available unless you have installed the Remote Server Administration Tools (RSAT) or have installed the Print and Document Services server role. You install this server role in a practice later in this chapter.

image
FIGURE 7-3 The Print Management console

The enhanced Windows Server 2008 R2 Print Management console includes support for
print server migration from Windows 2000 Server and Windows Server 2003 to Windows
Server 2008 R2. It also features an improved Network Printer Installation Wizard, which
reduces the number of steps that you need to perform when adding network printers.
The wizard automatically locates printers and installs the appropriate printer driver if this is
available.

Quick Check

  • What three features does the XPSDrv printer driver architecture provide
    in Windows Server 2008 R2?

Quick Check Answer

  • It supports WPF.
  • It allows you to include custom filters that perform such functions as adding
    a corporate watermark or implementing quota management and print job
    accounting.
  • It enables independent hardware vendors to share common functionality
    between similar driver models.

Web Services on Devices (WSD)
Windows Server 2008 R2 provides built-in support for WSD, which is a set of protocols for
accessing and controlling services on network-connected devices. WSD makes it easier to
connect, install, and use printers. Microsoft is working in collaboration with several printer
manufacturers to support this protocol in its devices.

Improving Scalability
To reduce the processing load on the computer running the Print and Document Services
server role, print rendering is performed on the client (in particular, on clients running
Windows Vista). In some cases, performing print rendering on the client considerably reduces
network bandwidth. The size of this reduction in bandwidth depends on the print job content
and the Page Description Language (PDL).

The print spooler in Windows Server 2008 R2 uses remote procedure calls (RPCs) to
communicate between the client and the server. Windows Server 2008 R2 significantly
reduces the number of separate processing threads required for RPCs. This can greatly
enhance performance in medium- to large-scale print environments.

MORE INFO PRINT MANAGEMENT
For more information about Print Management on computers running Windows Server
2008 R2, and also on computers running Windows Vista and Windows 7, access

https://technet.microsoft.com/en-gb/library/cc766474.aspx and follow the links.

Managing Printers with the Print Management Console
The Print Management console is installed as part of the Print and Document Services server role in Windows Server 2008 R2. You can also install it by opening Server Manager, clicking Features in the console tree, and then clicking Add Features. You then expand Remote Server Administration Tools, expand Role Administration Tools, and select the Print And Document Services Tools check box. Click Next, and then click Install. Click Close when the tool is installed.

The Print Management console lets you implement single-seat administration in a large organization that has a number of print servers (typically a large number). When you have installed the Print Management console as part of RSAT (it is also installed by default when you add the Print and Document Services role), you can open it from the Administration Tools menu or from within Server Manager. When you have installed the Print Management console, you need to configure it to identify the printers and print servers that you want to manage. You can add printers manually, or you can scan the network to identify printers automatically by clicking Printers on the Print Management console tree, as shown in Figure 7-4.

image
FIGURE 7-4 Scanning for printers automatically in the Print Management console

You can add a print server to the Print Management console by right-clicking Print Servers and selecting Add/Remove Servers. You can add new printers to a Windows Server 2008 R2 network by using the Add Printer wizard that was available in previous Windows versions. In Windows Server 2008 R2, this has been renamed the Network Printer Installation Wizard. The Print Management console gives you the option of running this wizard on a remote print server in both Windows Server 2008 and Windows Server 2008 R2; previously, you needed to run it locally.

To start the Network Printer Installation Wizard within the Print Management console, expand Print Servers and right-click the print server that you want to host the printer. Then click Add Printer, as shown in Figure 7-5, and follow the steps of the wizard. The Network Printer Installation Wizard lets you install a printer that is on a remote print server.

image
FIGURE 7-5 Accessing the Network Printer Installation Wizard

If you have added remote print servers to the Print Management console and configured printers on these servers, you can view, manage, and administer these printers and print servers centrally. Some of the tasks that you now can perform from the Print Management console, such as changing printer ports, adding or modifying forms, and viewing the status of printers, you previously had to carry out locally on a print server. Other tasks on the Print Management console are new, including creating custom printer filters that allow you and other administrators to view and manage selected printers based on their site, rights, and roles. The procedure to create a printer filter is described in the next section.

Creating a Printer Filter and a Print Driver Filter
Printer filters are used to display only those printers that meet specified criteria. You can create custom printer filters that filter by manufacturer or by printer type (such as laser, color laser, and plotter). This lets you view assets by make, model, location, or configuration. For example, you could set a filter to display all the printers in a single building, regardless of the print server they use.
The Print Management console provides two default filters named Printers Not Ready and Printers With Jobs. When you create a new custom filter, you have the option to set up an email notification or to run a script when the conditions of the filter are met. The procedure to create a custom printer filter is as follows:

1. Open the Print Management console.
2. Right-click Custom Filters. Click Add New Printer Filter. This starts the New Printer Filter Wizard.
3. On the Printer Filter Name And Description page, specify a name for the printer filter. This name will appear in the Custom Printer Filters folder in the Print Management console tree.
4. If you want, type a description.
5. If you want to display the number of printers that satisfies the conditions of a filter, select the Display The Total Number Of Items Next To The Name Of The Filter check box.
6. The Filter Name And Description page should look similar to Figure 7-6. Click Next.

image
FIGURE 7-6 The Filter Name And Description page

7. On the Define A Printer Filter page, specify a printer status characteristic or print queue on the Field list. Specify a Condition and a Value for that condition, as shown in Figure 7-7. Click Next.

image
FIGURE 7-7 Defining a filter
8. If you want, on the Set Notifications (Optional) page, set an email notification, set
a script to run, or specify both. Click Finish.
9. Click the name of the filter that you created in the Custom Filters container, as shown
in Figure 7-8. View the list of printers in the middle pane.

image
FIGURE 7-8 Viewing the printers specified by a printer filter

Similarly, you can use the Print Management console to create custom print driver filters
that display only those print drivers that meet a certain set of criteria. The procedure for
creating a custom print driver filter is almost identical to that for creating a custom printer
filter, except that in step 2 you right-click Custom Filters and click Add New Driver Filter. You
specify a name and (if you want) a description, and then select whether to display the number
of items next to the filter.

As with a printer filter, you configure the print driver filter by specifying Field, Condition,
and Value, and you have the option of configuring an email notification, running a script, or
both.

EXAM TIP
Custom filters are new to the Print Management console and can be configured only on
print servers running Windows Server 2008 or Windows Server 2008 R2.

Quick Check

  • What are the two default filters provided by the Print Management console in
    Windows Server 2008 R2?

Quick Check Answer

  • Printers Not Ready and Printers With Jobs

Managing Drivers, Ports, Forms, and Printers
You can expand any of the print servers listed in the Print Management console tree and manage drivers, ports, forms, or printers. You can also add a driver, a port, or a printer.

When you right-click Drivers and click Manage Drivers, this opens the Properties dialog box for the print server with the Drivers tab selected, as shown in Figure 7-9. You can add a new driver, remove a driver, or view the properties of any driver in the list.

image
FIGURE 7-9 The Drivers tab of the Print Server Properties dialog box

When you right-click Ports and click Manage Ports, this opens the Properties dialog box for the print server with the Ports tab selected, as shown in Figure 7-10. You can delete an existing port, add a new port, or configure a selected port. To configure a port, click Configure Port, enter a value (in seconds) for the transmission timeout retry interval, and then click OK.

When you right-click Forms and click Manage Forms, this opens the Properties dialog box for the print server with the Forms tab selected. When you select the Create A New Form check box, you can give the form a name and specify paper size and print area margins, as shown in Figure 7-11. When you are satisfied with your configuration, you click Save Form to create the form. Note that the Delete button becomes active only if you have already saved one or more custom forms and select a custom form on the Forms tab. You cannot delete standard forms from this tab.

image
FIGURE 7-10 The Ports tab of the Print Server Properties dialog box

image
FIGURE 7-11 The Forms tab of the Print Server Properties dialog box

When you right-click Printers under a print server, you can add a printer or show or hide Extended view. If you choose to show Extended view, then more details are given for any printer that you select in the Print Management console. You can view the print jobs currently running on the printer and access the printer Web page (if one exists). Figure 7-12 shows Extended view details for a selected printer.

image
FIGURE 7-12 Showing Extended view

You can also access the Properties dialog box for a print server by right-clicking the server in the Print Management console tree and clicking Properties. By default, this accesses the Advanced tab, shown in Figure 7-13. On this tab, you can change the location of the print spool folder and select whether an audible warning will be generated if an error is detected on a remote document and whether to show informational notifications for local printers, remote printers, or both.

image
FIGURE 7-13 The Advanced tab of the Print Server Properties dialog box

Planning and Managing Security and Access Permissions
To secure a print server and control access to specific printers, you must consider what rights users and groups should have. As an experienced administrator, you have probably configured permissions for both files and printers. You should be aware that you should grant permissions to groups rather than individual users, and you should use explicit Deny permissions as sparingly as possible.

You have probably dealt with the situation where a user who should have access to a printer does not and (more difficult to diagnose) where a user who should not have access to a printer does. Setting permissions and debugging permission configuration are common administrative tasks.

Planning permissions is a much more difficult task. Should you configure two print drivers for an expensive print device, so that the Managers security group has full-time access while the Everyone security group has access only at off-peak times? How should you plan access to color printers or A3 printers? What type of auditing and monitoring should you set up so you can identify users with bad printing habits (such as sending a job to a printer several times if it does not immediately appear on the print device)? Should you use printer pools to handle heavy print traffic?

EXAM TIP
Remember that you can have several printers controlling a single print device and giving different groups different levels and times of access. You can also have several print devices controlled by a single print driver so that they form a printer pool.

The Security tab of the Print Server Properties dialog box lets you configure access settings for all printers on the print server, as well as to the print server itself. You are probably aware of the print permissions available, but they are listed here to remind you:

  • Print This permission is assigned to the Everyone group by default. The user can connect to a printer and send documents. Members of the Administrators, Print Operators, and Server Operators groups also have explicit Print permission.
  • Manage Documents This permission is assigned explicitly to members of the Creator Owner group and is the only permission assigned to that group. Members of the Administrators, Print Operators, and Server Operators groups are granted the Manage Documents permission but are also granted the Manage Printers permission. The user can pause, resume, restart, cancel, and rearrange the order of documents submitted by all other users. A user who has only the Manage Documents permission, however, cannot send documents to the printer or control the status of the printer.
  • Manage Printers This permission is assigned to members of the Administrators, Print Operators, and Server Operators groups. The user can perform the tasks associated with the Print permission and has complete administrative control of the printer. The user can pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties.

The Security tab of the Print Server Properties dialog box also lets you assign permissions to the server itself. The View Server permission allows a user to view the print server. Without the View Server permission, a user cannot see printers that are managed by the server, and for this reason, this permission is given to members of the Everyone group.

The Manage Server permission lets users create and delete print queues (with already installed drivers), add or delete ports, and add or delete forms. By default, the Administrators, Server Operators, and Print Operators groups are granted this permission. A standard user who is granted this permission is called a delegated print administrator.

MORE INFO ASSIGNING DELEGATED PRINT ADMINISTRATOR AND PRINTER PERMISSION SETTINGS
For more information about delegating print server management, see
https://msdn.microsoft.com/en-us/library/ee524015(WS.10).aspx .

 

Figure 7-14 shows the Security tab of the Print Server Properties dialog box and the permission settings for the Everyone group. A group or an individual user can be specifically allowed permission, although as a best practice individual users should inherit permissions through group membership.

image
FIGURE 7-14 The Security tab of the Print Server Properties dialog box

A user or group can also be specifically denied permission. A user who has been specifically denied a permission, or who is a member of a group that has been specifically denied a permission, cannot be granted the permission through being a member of other groups. For this reason, the explicit Deny permission should be used as seldom as possible, and any instance should be documented carefully.

If appropriate, you can grant special permissions to a user or a group by allocating a non-standard combination of the available permissions. To confer special permissions to a user or security group, select the user or group in the Security tab and then click Advanced. The Advanced Security Settings dialog box, shown in Figure 7-15, allows you to configure permissions for a listed group or user by selecting the group or user and clicking Edit. You can also add a group or user and edit its permissions.

image
FIGURE 7-15 The Advanced Security Settings dialog box

In addition to granting permissions on a print server, you can configure permissions on an individual printer. Permissions specifically configured at the printer level override permissions inherited from the print server configuration. You can assign Print, Manage Documents, and Manage Printers permissions to groups or users, and you can configure and assign special permissions. As with all permission configurations, it is good practice to confer permissions to groups rather than individual users and to be very sparing in the use of explicit Deny and special permissions. The Security tab of a printer’s Properties dialog box is shown in Figure 7-16.

image
FIGURE 7-16 The Security tab of a printer’s Properties dialog box

Lesson Summary

  • When you install the Print and Document Services server role, you can install and manage printers and print drivers, add and manage ports, and configure forms.
  • The Print Management console provides single-seat management of printers on remote print servers on your network.
  • You can configure printer and server permissions on the Print Server Properties dialog box. You can configure permissions to an individual printer on the printer’s Properties dialog box.

Lesson Review

 

You can use the following questions to test your knowledge of the information in Lesson 1, “Planning Print Services Management.” The questions are also available on the companion CD if you prefer to review them in electronic form.

NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.

1. When you install the Print and Document Services server role, you can use the Print Management console to carry out a number of jobs remotely that previously you needed to do locally on the print server that held the printer. The console also introduces features that were not available in Windows versions earlier than Windows Server 2008. Which of the following tasks is new to the Print Management console?

A. Changing printer ports
B. Viewing the printer status
C. Adding or modifying forms
D. Creating custom printer filters

 

2. Which permission, assigned by default to the Creator Owner security group, allows a user to pause, resume, restart, cancel, and rearrange the order of documents submitted by all other users, but does not permit the user to send documents to the printer or control the status of the printer?

A. Print
B. Manage Documents
C. Manage Printers
D. Manage Server

 

3. Jeff Hay is a standard user. You want him to be a delegated print administrator on the print server DEN-PRS1. What permission do you grant him?

A. Manage Server
B. View Server
C. Manage Documents
D. Manage Printers

 

4. If you add and share a printer on a print server running Windows Server 2008 R2, the printer is published automatically, provided that two Group Policy settings are enabled. What are these settings? (Each answer forms part of the solution. Choose two.)

A. Disallow Installation Of Printers Using Kernel Mode Drivers
B. Always Render Print Jobs On The Server
C. Automatically Publish New Printers In Active Directory
D. Pre-Populate Printer Search Location Text
E. Allow Printers To Be Published