In this article, you can find the information needed to restrict a Service Account permissions by assigning least privileged roles for the Microsoft Print Server Connector to connect to the Print Server.
Create a Service Account
Create a service account in your Active Directory. This account has the same default settings as a regular domain user account. The Service Account needs permissions on the Print Server.
Grant WMI permissions to the Service Account
On the Microsoft Print Server, you need to add the following permissions in the Windows Management Instrumentation (WMI):
- Log into your Microsoft Print Server.
- Run
wmimgmt.mscor open WMI Control (Local). - Right-click "WMI Control (Local)" and select Properties.
- Navigate to the Security tab.
- Select CIMV2 under Root and click Security.
- In the Security for.. dialog box that opens, add the Service Account you previously created and grant the following permissions to it:
- Remote Enable
- Read Security
- When you finish, click OK until you reach the WMI Control (Local) console. Your changes will be saved automatically.
Grant Local computer permissions to the Service Account
On the Microsoft Print Server, you need to add the following permissions on the local computer.
- Log into your Microsoft Print Server.
- Run compmgmt.msc or open Computer Management.
- Navigate to System Tools > Local Users and Groups > Groups.
- Add the Service Account you previously created to:
- Performance Log Users
- Users
- When you finish, click OK until you reach the Computer Management console. Your changes are saved automatically.