Saturday, October 3, 2009

Vista Printer Sharing

Howto: Enable Vista peer-to-peer printer sharing without exposing a desktop login. This article is targeted mainly to Windows Vista but the concepts also work in XP. (Side-image from "The Office Space").

I have this problem: My teenage daughters have their own computers and they need to print to a shared printer on my machine. Is there a way to expose the printer without giving them a login-account on my desktop? This article shows how to do this but it has a drawback where file-shares are more exposed than you would like. The end of this article describes a better solution.

Review: Microsoft's Default Method

In peer-to-peer home networks, Microsoft recommends building matching user accounts on each machine. For this to work, the user-ID's and passwords on all computers must be identical. In other words, if you make a login-account called "Bob", that same name must be used on both the sharing and share-er's computer.

Create login accounts:
1. Other-mouse-click "My Computer" (on the desktop or in Windows Explorer), choose "Manage".
2. Tunnel to "Local Users and Groups"; select Users. (optionally, go to Control Panel, Users)
3. In the detail-side, "other-mouse-click" in a blank area, choose "new user". Create a new user.

Both the user-name and password must be the same on both computers. If a password is changed on one computer but not the other, printer and file-sharing will fail.

Sharing the Printer:

On the Master computer, open the "Network and Sharing Center" control panel.
In the Sharing and Discovery section:

Confirm "Network Discovery" is on
Confirm "Printer Sharing" is on

Share the Printer: On the Master computer:
  • Open the printer control panel
  • Other-mouse-click the printer and choose "Sharing".
  • Click "Share this printer" and give it a friendly name of your choosing.
Using the Shared Printer: From the other computer's printer control panel, other-mouse-click and choose "Add a printer." Add a 'Network' printer, tunneling to your workgroup and selecting the master computer. Naturally, this assumes the workstation had logged into the desktop with one of the synchronized accounts and it assumes the Master computer is turned on.

The Problem:

The drawback to this method is this: With the newly-added accounts, my untrustworthy and virus-prone daughters can log on to my desktop whenever they want because their login-ID now appears on login screen. I nag, "you have your own computer", to which they reply, "yours is turned on and I just need to finish playing this game."

The Solution:
Allow printer sharing without exposing the login account.

From the Master computer, return to the "Local Users and Groups" management screen and disable the new user accounts:

1. Other-mouse-click "MyComputer", "Manage",
tunnel to Local Users and Groups.
2. Other-mouse-click the new user, choose Properties
3. Mark the account as "Disabled"

(Be sure to disable the new accounts and not your account -- and be sure you do this only on the Master computer -- not on the remote computers.)

While still on the Master computer, go to the "Network and Sharing Center" control panel. Open "Password Protected Sharing" and turn off Password-protected sharing.


With this, the teenagers can no longer log onto my computer's desktop (the account is disabled) -- but they can still print to the shared printer. As a matter-of-fact, anybody who can get on the network can print to the printer. This is good if your brother shows up at the house with his own laptop and needs to print. It also means your neighbors can print on your printer too -- Make sure your wireless router blocks unauthorized traffic!

Unfortunately, Microsoft coupled both the File and Printer sharing with this same setting. Ideally, printers could be left wide-open while file-shares would still require passwords (administrative shares are secure either way). Microsoft could have, but did not, provide an even better solution: Have a flag that allows the account to exist but does not allow it to log on to the desktop.

In my house, file-shares only expose relatively un-important data, such driver downloads, software patches, homework directories and the like. If you do not have explicit file-shares, this is moot.

Better Solution:

Building user-accounts and synchronizing passwords on each workstation is a pain. Microsoft's marketing department made sure peer-to-peer networking was a little cumbersome and that is why they sell servers with Active Directory accounts.

A better solution is to use network-attached printers, where you hook the printer to the network instead of the computer's USB port. With this, you do not have to "share" the printer and even if the Master computer is off, people can still print.

Many newer printers come with built-in network cards but if you have an older (or cheaper) printer, consider using an external print server. External Print Servers are small electronic devices which have a network cable (or a wireless connection) at one end and a USB or Parallel-port connection on the other. I like this idea because you can move the print server to other printers, even if they don't have a network interface.

In my house, the color printer uses a External Print Server but the laserjet is still hooked directly to the main computer. But with all of the problems the kids have had with printing (passwords, computers turned off, etc.), I'm thinking about converting both to these external print servers.

There is one problem I've noted with the print servers: You will not be able to run printer diagnostics or check ink-levels: These functions, at least with the printer's I've worked with, are only available when the printer is directly attached to the USB port. This has not been a problem for me because all of these functions are available on the printer's front panel or I can quickly string a temporary cable. Your printers may not have these issues and may have more advanced features -- especially if the network-card is built-into the printer. Your comments on this would be welcome.

In general, my feeling is a network-attached printer or an external print server is the way to go and this product category solves a lot of problems. They make both wired and wireless versions of these devices; I prefer the wired-versions because they are simpler and there is less that can go wrong. Here are some products to consider and these will only work on standard, non-multi-function printers:

IOGear USB 2.0 GPSU21 ($40; USB only)
NetGear PS101 Mini Print Server ($45; parallel port only; no USB)

My current print server is an old HP JetDirect 175 print server that I bought used. Although this is a great device, HP wants a ton of money ($200) and it just isn't worth it; I would consider one of these other devices.

Be sure to look at Amazon's customer reviews. You will find a curious mix of love and hate with some people having insurmountable problems and others saying it worked flawlessly. Conceptually, these devices are very simple and like my HP Print Server, once setup, they should require little to no maintenance. One thing is for sure: Give the print server a fixed IP-address and do not allow it to use DHCP.

I would like to hear your experiences.

No comments:

Post a Comment

Comments are moderated and published upon review.