PaperCut and Active Directory

KB Home   |   PaperCut and Active Directory

Main.ActiveDirectoryConsiderations History

Hide minor edits - Show changes to output

December 11, 2017, at 08:42 PM by Brad Stone - Fix typo
Changed line 23 from:
A: Yes.  PaperCut has mutli-domain support and is commonly used in complex tree/forest arrangements.
to:
A: Yes.  PaperCut has multi-domain support and is commonly used in complex tree/forest arrangements.
August 29, 2016, at 12:51 AM by Shane Higgins -
Changed lines 59-61 from:
If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group.  For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called [@StaffStandard@] and add staff members to this group.  You can take advantage of Active Directories query system to quick identify and add the staff users.  The new group [@StaffStandard@] can then accurately be used in PaperCut.
to:
If you need to use a group in PaperCut that is also used as a primary group, where users are a member of a group by virtue of it being their primary group, then the work around is to create a mirror group.

For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called [@StaffStandard@] and add staff members to this group.  You can take advantage of Active Directories query system to quick identify and add the staff users.  The new group [@StaffStandard@] can then accurately be used in PaperCut.
Added lines 61-63:

!! Nested Group Support with Linux/Mac Primary server:
Due to limitations in the various LDAP protocol implementations, Nested Group functionality is not available if you are not using "Windows Active Directory" as a sync source. You will need to use a "Flat Group" instead. We recommend taking this into consideration when opting to use Linux or Mac OS X.
Changed lines 26-27 from:
Q: I have a "locked down" Active Directory environment and PaperCut is having problems access the AD. How can I fix this?
to:
Q: I have a "locked down" Active Directory environment and PaperCut is having problems accessing the AD. How can I fix this?
Changed lines 43-44 from:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft) and use standard groups for management.
to:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft) and use standard groups for management.
Changed lines 3-4 from:
All PaperCut products release after 2004 include full native support for Active Directory including support for:
to:
All PaperCut products released after 2004 include full native support for Active Directory including support for:
January 28, 2010, at 11:33 PM by Jason - PaperCut does will never cache.. removed does.
Changed line 16 from:
A: PaperCut does will never cache user rights credentials (e.g. passwords).  In line with security best practice, user authentication is done via real-time interrogation at the moment of authentication.  User account metadata (e.g. Full Name) is cached locally to minimize load on the AD server and only queried during:
to:
A: PaperCut will never cache user rights credentials (e.g. passwords).  In line with security best practice, user authentication is done via real-time interrogation at the moment of authentication.  User account metadata (e.g. Full Name) is cached locally to minimize load on the AD server and only queried during:
Changed lines 3-4 from:
All PaperCut products after version 5.2 include full native support for Active Directory including support for:
to:
All PaperCut products release after 2004 include full native support for Active Directory including support for:
Changed lines 8-9 from:
PaperCut still continues to support older NT style domains and installs on standalone machines.
to:
PaperCut still continues to support older NT style domains.
Changed lines 21-25 from:
to:
Q: Does PaperCut support multiple domains?

A: Yes.  PaperCut has mutli-domain support and is commonly used in complex tree/forest arrangements.

Changed lines 3-4 from:
All PaperCut products after version 5.2 include full support for Active Directory including support for:
to:
All PaperCut products after version 5.2 include full native support for Active Directory including support for:
Changed lines 12-21 from:
to:
Q: How does PaperCut integrate with Active Directory?

A: PaperCut accesses Active Directory in a read-only way for user authentication and extracting user account metadata such as email address, full name, office, department and group membership.  Write access or elevated rights access is not required. When running on a Windows Server PaperCut uses native Active Directory `APIs.  When running on a Linux or Mac system PaperCut accesses AD via the remote LDAP interface.

A: PaperCut does will never cache user rights credentials (e.g. passwords).  In line with security best practice, user authentication is done via real-time interrogation at the moment of authentication.  User account metadata (e.g. Full Name) is cached locally to minimize load on the AD server and only queried during:
* Initial account creation
* During overnight sync if enabled
* During a manual user/group sync

Added lines 32-33:
Attach:ad-primary-group.png
Changed lines 30-31 from:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft).
to:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft) and use standard groups for management.
Changed line 27 from:
to:
[[#primarygroup]]
Changed lines 6-7 from:
* Organisational Units
to:
* Organizational Units
Added lines 12-22:

Q: I have a "locked down" Active Directory environment and PaperCut is having problems access the AD. How can I fix this?

A: By default, PaperCut runs as the ''Local System'' account.  This is generally regarded as best practice for services.  The Local System account should have access to query the AD (read-only access) in most default domain environments.  If however the server is not a member of the domain (maybe in another domain), or the AD environment has been locked down from defaults, then some further configuration may be required.

A: The solution is to elevate the privileges used to run the PaperCut Application Server service.  This is done under:

-->[@Control Panel@] -> [@Admin Tools@] -> [@Services@]

A: Select the ''PaperCut Application Server'' service, then the ''Logon'' tab.  Change the service account to an account that has both Local Administrator rights and at least read access to the AD.  Best practice suggests that you should create a new user account (common convention is to use a name like ''svcpapercut'') and set the accounts password to "never expire".

Changed lines 33-34 from:
If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group.  For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called [@StaffStandard@] and add start members to this group.  You can take advantage of Active Directories query system to quick identify and add the staff users.  The new group [@StaffStandard@] can then accurately be used in PaperCut.
to:
If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group.  For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called [@StaffStandard@] and add staff members to this group.  You can take advantage of Active Directories query system to quick identify and add the staff users.  The new group [@StaffStandard@] can then accurately be used in PaperCut.
Added lines 10-11:
!Common AD Questions
Changed lines 10-14 from:
to:
Q: My users in AD do not list under one of my groups.  What is the problem?

A: This may be caused by the use of the legacy primary group field in AD.  The problem is discussed in detail below.

Changed lines 13-14 from:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group.
to:
In an Active Directory domain, all users have a "Primary Group", which is only used for legacy reasons and for POSIX compliance.  By default, the primary group of all all Active Directory users is set to the built-in "Domain Users" group.  It is recommended that you leave "Domain Users" as the primary group (Best practice suggested by Microsoft).
Changed lines 17-18 from:
For example, if a user's primary group is set to a group called "Staff", then the user will not appear to be a member of "Staff" when using the Active Directory [=APIs=].
to:
For example, if a user's primary group is set to a group called "Staff", then the user will not appear to be a member of "Staff" when using selected Active Directory [=APIs=].
Changed lines 22-23 from:
This behaviour can adversely affect PaperCut's group-based features (like quota allocation, or new user creation rules) because the user is not correctly reported as being a member of the group. 
to:
This behavior can adversely affect PaperCut's group-based features (like quota allocation, or new user creation rules) because the user is not correctly reported as being a member of the group. 
Added line 29:
----
Added line 31:
----
Added lines 1-2:
(:title PaperCut and Active Directory:)
Added line 29:
''Categories:'' [[!Domains]]
Added lines 24-25:
!!!Work around:
If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group.  For example, if you have a group called "Staff" and are unable to use this group because of the primary group problem, create a new group called [@StaffStandard@] and add start members to this group.  You can take advantage of Active Directories query system to quick identify and add the staff users.  The new group [@StaffStandard@] can then accurately be used in PaperCut.

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on December 11, 2017, at 08:42 PM
Printable View   |   Article History   |   Edit Article