All PaperCut products after version 5.2 include full support for Active Directory including support for:

• Nested groups, and
• Organizational Units

PaperCut still continues to support older NT style domains and installs on standalone machines.

Common AD Questions

I have a "locked down" Active Directory environment and PaperCut is having problems access the AD. How can I fix this?

By default, PaperCut runs as the Local System account. This is generally regarded as best practice for services. The Local System account should have access to query the AD (read-only access) in most default domain environments. If however the server is not a member of the domain (maybe in another domain), or the AD environment has been locked down from defaults, then some further configuration may be required.

The solution is to elevate the privileges used to run the PaperCut Application Server service. This is done under:

Control Panel -> Admin Tools -> Services

Select the PaperCut Application Server service, then the Logon tab. Change the service account to an account that has both Local Administrator rights and at least read access to the AD. Best practice suggests that you should create a new user account (common convention is to use a name like svcpapercut) and set the accounts password to "never expire".

My users in AD do not list under one of my groups. What is the problem?

This may be caused by the use of the legacy primary group field in AD. The problem is discussed in detail below.

Limitations with Active Directory Primary Groups

In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance. By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group. It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft) and use standard groups for management.

Due to a limitation in Active Directory, when a user is a member of a group by virtue of it being the user's primary group, they are not reported as a member of that group when using the Active Directory APIs.

For example, if a user's primary group is set to a group called "Staff", then the user will not appear to be a member of "Staff" when using selected Active Directory APIs.

This limitation is discussed in detail in the following Microsoft Knowledge Base article: http://support.microsoft.com/?kbid=275523

This behavior can adversely affect PaperCut's group-based features (like quota allocation, or new user creation rules) because the user is not correctly reported as being a member of the group.

For this reason, it is highly recommended to leave "Domain Users" as the primary group for all users of your domain.

Work around:

If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group. For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called StaffStandard and add staff members to this group. You can take advantage of Active Directories query system to quick identify and add the staff users. The new group StaffStandard can then accurately be used in PaperCut.

Categories: Domains