”Help! I’m a systems administrator looking to set up PaperCut services to run as a Windows service account or domain user. How can I set this up, and what does PaperCut recommend in regards to what permissions the account will need?”
When and why would PaperCut need to run as a domain user account?
When PaperCut is first installed on a Windows server, several services are created such as the Application Server Service and the Print Provider Service. By default these run as the Local SYSTEM account, and this gives these services all the permissions they need on the server to function for most environments.
Most PaperCut environments are better off leaving these services as-is, but in the world of Windows the Local SYSTEM account lacks permissions to access any network resources, and this means there are some cases when PaperCut services need to be configured to run as a domain user account or Service Account instead.
Below we’ve listed specific situations where a domain user or service account is needed:
- If PaperCut is configured to access a file share hosted on another server, such as when…
- Print Archiving is enabled and the Central Archive is in a custom location.
- Integrated Scanning is configured with a Scan to Folder action.
- When PaperCut is configured to sync from a separate Active Directory domain than the one the server is joined to.
- When the Web Print Service (Default mode) is enabled, but the print queues are hosted on a different server than the PaperCut server.
- When Find-Me Printing is configured but the source and destination queue are on two different print servers (called “Cross-Server Redirection”).
- When PaperCut is configured to deliver Winpopup notifications, such as a balance notification to Windows clients running on your network. (Winpopup has been deprecated by Microsoft, so you are not likely to see this.)
What permissions does this account need?
Below are the permissions needed for a PaperCut Service account:
- Local administrator rights on any server where any PaperCut services run to ensure that these services (the PaperCut Application Server, Print Provider, Web Print, Mobility Print, and others…) start successfully and run as intended.
- Permissions to send print jobs to queues on other print servers only if Find-Me Printing is set up in an environment with print queues hosted on multiple servers. Configuring the Print Provider service to run as a standard domain user account will normally achieve this. To test, log into the server with this account and attempt to send a print job to the destination print queue on another server.
- Read, write, and modify permissions to file shares hosted on any other servers only for Print Archiving with a Central Archive or for Integrated Scanning with a Scan-to-Folder action.
- Read access for all AD attributes for all users across all security groups that require PaperCut membership only if PaperCut has been configured to synchronize users from a different Active Directory Domain than the one the server is joined to. This is further described in our article Multiple domain security configuration. (Normally this is satisfied if the server is joined to the domain and PaperCut is running as Local SYSTEM.)
How to set up PaperCut to run as a different account
Be careful when configuring PaperCut to run as a domain user or service account. If not done properly, PaperCut services may fail to start which will be a big problem for your users, so you will want to make this change after hours and test thoroughly.
- In Active Directory Users and Groups create a domain user account or service account for PaperCut.
- Assign the necessary permissions including local admin rights to any servers running PaperCut, as well as read, write, and modify permissions to any network resources PaperCut may be configured to access (like file shares). As the system administrator for your domain we assume you know what you are doing here.
- On the server running PaperCut, open Services by pressing Windows key + R, then type services.msc and press the enter key.
- Right click on the PaperCut Application Server service and choose Properties.
- On the Log On tab, under Log on as, and select This account. Then enter the credentials for the newly created account.
- Click OK.
- Right click on the service and choose Restart, then wait a moment to ensure that it starts properly.
- In addition to PaperCut Application Server service you will need to repeat these steps for the PaperCut Print Provider service PaperCut services such as the PaperCut Web Print Server, PaperCut Mobility Print, PaperCut Job Ticketing and possibly others depending on which PaperCut features your organization is utilizing.
Watch out! If this account running PaperCut services lacks local admin rights on the server it is running on, then the PaperCut services might not start or may not work as expected. Configuring this account to have adequate rights is the key to get your PaperCut services working as expected.
We also regularly see support tickets where PaperCut stops tracking jobs or working altogether because the customer configured PaperCut to run as a service account but the password expired and was not reset in time. If you must configure PaperCut to use a service account, please either set up the account so that the password never expires or create a reminder for your future-self to update this password regularly