Choose your language

Choose your login

Support

How can we help?

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Conversation bubbles

Contact us

Run PaperCut Services with a Domain User Account

THE PAGE APPLIES TO:

”Help! I’m a systems administrator looking to set up PaperCut services to run as a Windows service account or domain user. How can I set this up, and what does PaperCut recommend in regards to what permissions the account will need?”

When and why would PaperCut need to run as a domain user account?

When PaperCut is first installed on a Windows server, several services are created such as the Application Server Service and the Print Provider Service. By default these run as the Local SYSTEM account, and this gives these services all the permissions they need on the server to function for most environments.

Many PaperCut environments are ok leaving these services as-is, but in the world of Windows the Local SYSTEM account lacks permissions to access any network resources, and this means there are some cases when PaperCut services need to be configured to run as a domain user account or Service Account instead.

Below we’ve listed specific situations where a domain user or service account is needed:

  • If PaperCut is configured to access a file share hosted on another server, such as when…
    • Print Archiving is enabled and the Central Archive is in a custom location.
    • Integrated Scanning is configured with a Scan to Folder action.
  • When PaperCut is configured to sync from a separate Active Directory domain than the one the server is joined to, as described in Importing users from multiple Active Directory domains.
  • When the Web Print Service (Default mode) is enabled, but the print queues are hosted on a different server than the PaperCut server.
  • When Find-Me Printing is configured but the source and destination queue are on two different print servers (called “Cross-Server Redirection”).
  • When PaperCut is configured to deliver Winpopup notifications, such as a balance notification to Windows clients running on your network. (Winpopup has been deprecated by Microsoft, so you are not likely to see this.)
  • When organization-specific security policies mean that sync’ing with Active Directory won’t work properly unless using a non-SYSTEM account.

What permissions does this account need?

Below are the permissions needed for a PaperCut Service account:

  • Local administrator rights on any server where any PaperCut services run to ensure that these services (the PaperCut Application Server, Print Provider, Web Print, Mobility Print, and others…) start successfully and run as intended.
  • Permissions to send print jobs to queues on other print servers only if Find-Me Printing is set up in an environment with print queues hosted on multiple servers. Configuring the Print Provider service to run as a standard domain user account will normally achieve this. To test, log into the server with this account and attempt to send a print job to the destination print queue on another server.
  • Read, write, and modify permissions to file shares hosted on any other servers only for Print Archiving with a Central Archive or for Integrated Scanning with a Scan-to-Folder action.
  • Read access for all AD attributes for all users across all security groups that require PaperCut membership only if PaperCut has been configured to synchronize users from a different Active Directory Domain than the one the server is joined to. This is further described in our article Multiple domain security configuration. (Normally this is satisfied if the server is joined to the domain and PaperCut is running as Local SYSTEM.)

How to set up PaperCut to run as a different account

Be careful when configuring PaperCut to run as a domain user or service account. If not done properly, PaperCut services may fail to start which will be a big problem for your users, so you will want to make this change after hours and test thoroughly.

  1. In Active Directory Users and Groups create a domain user account or service account for PaperCut.
  2. Assign the necessary permissions including local admin rights to any servers running PaperCut, as well as read, write, and modify permissions to any network resources PaperCut may be configured to access (like file shares). As the system administrator for your domain we assume you know what you are doing here.
  3. On the server running PaperCut, open Services by pressing Windows key + R, then type services.msc and press the enter key.
  4. Right click on the PaperCut Application Server service and choose Properties.
  5. On the Log On tab, under Log on as, and select This account. Then enter the credentials for the newly created account.
  6. Click OK.
  7. Right click on the service and choose Restart, then wait a moment to ensure that it starts properly.
  8. In addition to PaperCut Application Server service you will need to repeat these steps for the PaperCut Print Provider service PaperCut services such as the PaperCut Web Print Server, PaperCut Mobility Print, PaperCut Job Ticketing and possibly others depending on which PaperCut features your organization is utilizing.

Group Managed Service Accounts (gMSAs)

As organizations look to disable NTLM protocols for enhanced security, Group Managed Service Accounts (gMSAs) provide a secure alternative by leveraging Kerberos authentication and automating password management.

At this time we’re still seeking input from customers who have tested this in their environment, so we can’t recommend this to everyone. However if you’re a security-conscious customer who is interested in securing your environment we welcome your feedback.

Follow these steps to set up a gMSA for PaperCut:

  1. Create the Managed Service Account (MSA):
    An MSA is a specialized account type within Active Directory. Ensure that the MSA has the necessary access to resources, similar to a typical service account. Local Administrator rights are a good starting point, but you can also assign more granular permissions as needed for PaperCut to function properly, such as access to network file shares for Scan to Folder or Web Print. If using an external database (e.g., SQL Server with automatic authentication), ensure the MSA has read and write access to the database. Note: Do not add the MSA to the “Protected Users” group, as this could limit necessary permissions.
  2. Add Service Principal Names (SPNs):
    Service Principal Names are used to associate a service instance with an account. For PaperCut, you’ll need to add an SPN for each server running PaperCut services in your network. Example: PCAppServer/your-server-name.domain.net.
  3. Configure PaperCut to use the gMSA:
    After creating the gMSA, configure PaperCut to use the new account by following the steps outlined in this article. For gMSAs, append a dollar sign to the end of the account name. Example: papercut-msa$.

Still have questions?

Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.


Categories: How-to Articles , Installing, Uninstalling and Migrating


Comments

Last updated September 13, 2024