Skip to main content

Many organizations install and share printers on Windows Server. There is nothing wrong with that. It’s a great approach to maintain and distribute printers. The only problem is that you should not install printers on the Domain Controllers for security reasons. In this article, you will learn how to disable Print Spooler on a Domain Controller.

What is a Print Spooler service?

Print Spooler is a software service that manages printing processes. The spooler accepts print jobs from computers and ensures that printer resources are available. The spooler also schedules the order in which print jobs are sent to the print queue for printing. In the early days of personal computers, users had to wait until files were printed before performing other actions. Thanks to modern print spoolers, printing now has minimal impact on overall user productivity.

The risk for Print Spooler service on Domain Controllers

While seemingly harmless, any authenticated user can remotely connect to a domain controller’s print spooler service, and request an update on new print jobs. Also, users can tell the domain controller to send the notification to the system with unconstrained delegation. These actions test the connection and expose the domain controller computer account credential (Print spooler is owned by SYSTEM).

Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO).

Note: Disabling the Print Spooler on all domain controllers is recommended.

Note: Disabling the Print Spooler service on the Domain Controller means that users can’t print on the printers that are installed on the Domain Controllers. You should use a dedicated print server or install the printer on another server.

Active Directory Security Audit report

Here is what it looks like when we run an Active Directory Security Audit report while the Printer Spooler is enabled on the Domain Controller.

The security indicator shows:

During June-July 2021, several critical flaws were found in Windows Print Spooler services which directly affects Print Spoolers on domain controllers, enabling remote code execution:

In our example, two Domain Controllers have the Print Spooler enabled.

Disable Print Spooler on Domain Controller report before

After we disable the Print Spooler service with one of the below methods, we run the Active Directory Security Assessment again, and this is what it looks like.

Disable Print Spooler on Domain Controller report after

Everything looks good.

How to Disable Print Spooler service on Domain Controller

There are different methods to turn off the Print Spooler service. Follow the method that is most relevant to your organization. However, the first method, the GPO, is the recommended method.

Method 1. Group Policy Object (GPO)

To disable the Print Spooler using GPO, follow these steps:

  1. Sign in on the Domain Controller
  2. Open Group Policy Management
Open Group Policy Management
  1. Right-click on the Domain Controllers OU
  2. Select Create a GPO in this domain, and Link it here…
Create a GPO in this domain and link it here
  1. Name the GPO DisablePrintSpoolerService and click OK
New GPO name DisablePrintSpoolerService
  1. Right-click on the GPO and click Edit
Edit GPO
  1. Navigate to Computer Configuration > Windows Settings > Security Settings > System Services
  2. Double-click on Print Spooler
Print Spooler service
  1. Select Define this policy setting
  2. Select Disabled
  3. Click OK
Define policy setting to disabled
  1. Start Command Prompt on the Domain Controller
  2. Run the below command to apply the changes immediately
gpupdate /force

Method 2. Service Manager

To disable the Print Spooler service using the Service Manager, follow these steps:

  1. Sign in on the Domain Controller
  2. Open Windows Services Manager
Open Services
  1. Right-click the Print Spooler service
  2. Click on Properties
Print Spooler properties
  1. Change the startup type to Disabled
  2. Click Stop under the service status
  3. Click OK
Disable Print Spooler startup type and stop service

Method 3. PowerShell

To disable the Printer spooler service using PowerShell, follow these steps:

  1. Sign in on the Domain Controller
  2. Start Windows PowerShell
  3. Run the script below
# Stop the Print Spooler service
Stop-Service -Name Spooler

# Disable the Print Spooler service
Set-Service -Name Spooler -StartupType Disabled

If you want to disable it on all the Domain Controllers, run the script below.

# Retrieve all domain controllers in current domain
$DCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName

# Loop through each domain controller
foreach ($DC in $DCs) {
    # Connect to remote domain controller
    $Session = New-PSSession -ComputerName $DC

    # Stop Print Spooler service
    Invoke-Command -Session $Session -ScriptBlock { Stop-Service -Name Spooler }

    # Disable Print Spooler service
    Invoke-Command -Session $Session -ScriptBlock { Set-Service -Name Spooler -StartupType Disabled }

    # Close remote session
    Remove-PSSession -Session $Session
}

That’s it!

Leave a Reply