Closed MarcLaf closed 5 years ago
This may be true, however check this out: https://adsecurity.org/?p=4056
I wonder how we can kill both stones at the same time? Disable by default and enable to do the cleanup and shut down right after?
Ahhh I see, thanks for the reply. I very much agree that having your domain compromised is much worse than having stale printers and I'm wondering how often the stale printers show up (I also can't quite figure out the scenario in which they would show up). Maybe the scan should indicate that disabled is recommended however you will need to do manual print queue cleanup?
When you add a printer to Print Servers you have the ability to publish in AD. I guess AD then manages that removing/adding printers depending on Print Server availability. But that's my guess. I'll update the explanation.
Yeah the explanation isn't complete on MS side which is confusing. Maybe if a printer is deleted before it's been un-published in AD? Who knows. But thank you for updating your side of things. This module is really slick!
According to MS, it's not recommended to disable Print Spooler on a DC because this is responsible for removing stale printer objects from AD.
https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler
The technet article in the Comments of that page doesn't exist anymore but it can be found via wayback machine.
Looks like you should have it enabled on at least 1 DC in each site.