I am trying to set up printers for users, and the print server is in a forest with a trust relationship. Users are all on Windows 7, and the print server is Server 2008 R2 Standard.
DomainA contains the print server
DomainB contains the users
When users or admins in DomainB attempt to add printers from the DomainA print server, they get a generic error that says "Windows cannot connect to the printer. Access is denied"
I have added DomainB users to the DomainA printer security w/ print rights, still getting the same error. I've even tried creating a Domain Local group in DomainA, and added users from DomainB, and it still fails whether I'm using a standard user or a domain admin in DomainB.
When adding the printer via IP, it works, but that's not running through the print server and isn't an acceptable solution in our environment.
What do I need to do to get this cross-forest printing working?
ADDITIONAL INFO FROM TESTING:
DomainB user is able to browse file shares on the DomainA print server, but adding printers flags the error.
DomainB user was able to add certain HP/Brother printers, but Ricoh and Canon printers fail. All the printers they were able to add were printers who's drivers are included by default in Win7. This seems to only occurs when the print driver needs to be downloaded from the print server. Possible share missing or with wrong permissions?
Best Answer
It sounds like the Forest Trust is using Selective Authentication. If so, you need to grant DomainB users the "Allowed to Authenticate" permission on the print server computer object in ADUC in DomainA.