{"id":4603,"date":"2025-10-03T20:03:00","date_gmt":"2025-10-04T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4603"},"modified":"2025-10-07T11:31:02","modified_gmt":"2025-10-07T15:31:02","slug":"active-directory-security-tip-11-print-service-on-domain-controllers","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4603","title":{"rendered":"Active Directory Security Tip #11: Print Service on Domain Controllers"},"content":{"rendered":"\n

The Print Spooler service is a default service on Windows Servers and is set to run at startup. There are a number of attacks that are enabled by having the Print Spooler service running on Domain Controllers (ex.: Printer Bug: https:\/\/adsecurity.org\/?p=4056<\/a>) <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


At this point it’s best to configure a GPO to disable the Print Spooler service on Domain Controllers (2nd & 3rd screenshot show the GPO settings). There shouldn’t be anything affected by this change. No one should be using their Domain Controller as a print server and the only thing this service does by default is manage automatic Printer object pruning, but there needs to be a GPO to configure this. We have only seen this a total of 2 times over 8 years of performing Active Directory Security Assessments (ADSAs)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


PowerShell code to check if the Print Spooler service is running in the current domain (requires DC admin rights, so domain Administrator or equivalent): <\/strong><\/p>\n\n\n\n

$Domain = $env:userdnsdomain\n$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name\n\n$DomainDCs = Get-ADDomainController -Filter * -Server $DomainDC | Sort HostName \nForEach ($DomainDCItem in $DomainDCs) \n { \n     $ServiceStatusArray = Get-service -Name 'spooler' -ComputerName $DomainDCItem.HostName \n     switch ($ServiceStatusArray.Status) \n      { \n         \"Running\" { Write-host \"$($DomainDCItem.HostName): Print Spooler Service is RUNNING\" -ForegroundColor Red } \n         \"Stopped\" { Write-host \"$($DomainDCItem.HostName): Print Spooler Service is stopped\" -ForegroundColor Green } \n         default { Write-host \"$($DomainDCItem.HostName): Test failed\" -ForegroundColor Yellow } \n      } \n }<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
The Print Spooler service is a default service on Windows Servers and is set to run at startup. There are a number of attacks that are enabled by having the Print Spooler service running on Domain Controllers (ex.: Printer Bug: https:\/\/adsecurity.org\/?p=4056) At this point it’s best to configure a GPO to disable the Print Spooler … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1469,1481,1483,1482],"class_list":["post-4603","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorysecuritytip","tag-domaincontrollerprintspoolerservice","tag-printerbug","tag-printspooler","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4603"}],"version-history":[{"count":6,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4603\/revisions"}],"predecessor-version":[{"id":4780,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4603\/revisions\/4780"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}