Tech Tip: Let users manage services/Publish printers in Active Directory

See how to grant an additional group of users the ability to manage services, and learn how to include printers hosted by stand-alone computers in Active Directory.

Control users' ability to manage services

In Windows 2000, members of the Administrators and Power Users groups can start, stop, pause, and resume services. In most situations, this security restriction is fine. Users generally don't require the ability to manage services on their own computers.

In some situations, however, you might want to grant an additional group of users the ability to manage services. One of the easiest ways to grant users the rights to manage services is to configure group policy settings. You can configure these rights at the site, domain, and OU levels; however, the policies aren't available at the local level.

To configure these rights, edit the group policy object from the Active Directory Users And Computers console. Follow these steps:

  1. Browse to the Computer Configuration | Windows Settings | Security Settings | System Services branch.
  2. Double-click the service whose policy you want to configure.
  3. Select the Define This Policy Setting check box, and choose the Startup mode.
  4. Click Edit Security, add the user or group, and grant the Start, Stop, and Pause permission to the newly added user or group.
  5. Make sure the System account has Full Control, and click OK.

Repeat this process for any other services as needed.

You can also control service policies using security templates or the Subinacl tool (included with the Windows 2000 Resource Kit). For details on these two methods, as well as a script you can use to automate multiple changes, check out Microsoft Knowledge Base article 288129.

Publish printers in Active Directory

While users can browse the network for printers, publishing printers in Active Directory can make it easier for users to identify printers by location, function, responsible party, and so on. In a very large network, publishing printers to Active Directory can really simplify printer access as well as printer management.

By default, Active Directory includes any printer shared on an active domain member. In some cases, however, you might want to include printers hosted by stand-alone computers.

To do so, right-click the organizational unit in which you want to publish the printer, and choose New | Printer. In the New Object-Printer dialog box, enter the UNC path to the print share, and click OK. Along with the print share name, you can use the IP address of the server or the host name in the UNC path.

In some cases, you might want to explicitly prevent a printer from appearing in Active Directory. For example, let's say you've restricted a printer to a small number of users. Publishing this printer in Active Directory will generate too many requests from unauthorized users to print to the printer.

To remove a printer from the directory, open the printer's properties. On the Sharing tab, deselect the List In The Directory check box, and click OK to apply the change.

Editor's Picks

Free Newsletters, In your Inbox