(:title PaperCut and Active Directory:)
All PaperCut products after version 5.2 include full support for Active Directory including support for:
- Nested groups, and
- Organizational Units
PaperCut still continues to support older NT style domains and installs on standalone machines.
Limitations with Open Directory Primary Groups when using LDAP
In an Open Directory domain, all users have a “Primary Group”, which is used for legacy reasons and for POSIX compliance. By default, the primary group of all all Open Directory users is set to the built-in “Users” group. It is recommended that you leave “Users” as the primary group (Best practice suggested by Microsoft).
Due to a limitation in Active Directory, when a user is a member of a group by virtue of it being the user’s primary group, they are not reported as a member of that group when using the Active Directory APIs.
For example, if a user’s primary group is set to a group called “Staff”, then the user will not appear to be a member of “Staff” inside PaperCut.
This limitation is due to performance considerations. Looking up Primary Group membership on larger networks is very resource intensive as you need to “look” at every user. This contrasts standard groups where you simply call to the server to retrieve membership.
If you need to use a group in PaperCut that is also used as a primary group - that is uses are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group. For example, if you have a group called “Staff” and are unable to use this group because of the primary group problem, create a new group called
StaffStandard and add staff members to this group. You can take advantage of OpenDirectories query system to quick identify and add the staff users. The new group
StaffStandard can then accurately be used in PaperCut.