Auditing Printer Additions/Deletions, Driver and Port Changes

The Print Server MP covers most aspects of printer queue health and error states (The Print Server State Script gets all the way down to low paper, open drawers, etc), but we wanted a way to track certain other changes to the print server that may adversely impact functionality...a small measure of configuration mgmt and to provide some forensic data of sorts when printers suddenly stop working due to fundamental changes in configuration Specifically, the following items were of interest: 1. Queue create/delete 2. Driver change 3. Print Port change (to a new port) The easy road on this is to check for events generated when each action is performed. We can take the following aspects of these three events and use them as criteria in Event Rules to raise Warning events to create an easily visible trail to mark the changes not being captured through default rule. Ran through a quick exercise in the lab, and here are the events we can use to flag these print server-related changes NOTE: On the downside, you'll notice the user shows up as SYSTEM....so much for catching our perpetrator :( Here are the events. Criteria for your Event Rule are in RED 1. Successful Printer Creation Event Type: Information Event Source: Print Event Category: None Event ID: 36 Date: 4/19/2006 Time: 8:09:06 PM User: NT AUTHORITY\SYSTEM Computer: MOM Description: PrintQueue CN=MOM-Generic / Text Only was successfully created in container LDAP://test-ad3.seminole.com/CN=MOM,CN=Computers,DC=seminole,DC=com . 1b Printer Deletion Event Type: Warning Event Source: Print Event Category: None Event ID: 3 Date: 4/19/2006 Time: 8:53:22 PM User: SEMINOLE\Administrator Computer: MOM Description: Printer Generic / Text Only was deleted. 2. Print Driver Change (will also generate an event on adds. In fact the port change generates most of the events of an add) Event Type: Warning Event Source: Print Event Category: None Event ID: 20 Date: 4/19/2006 Time: 8:08:55 PM User: NT AUTHORITY\SYSTEM Computer: MOM Description: Printer Driver Generic / Text Only for Windows NT x86 Version-3 was added or updated . Files:- UNIDRV.DLL, UNIDRVUI.DLL, TTY.GPD, UNIDRV.HLP, TTYRES.DLL, TTY.INI, TTY.DLL, TTYUI.DLL, TTYUI.HLP, UNIRES.DLL , STDNAMES.GPD. 3. Port Change (will also generate an event on adds) Event Type: Information Event Source: Print Event Category: None Event ID: 9 Date: 4/19/2006 Time: 8:16:00 PM User: SEMINOLE\Administrator Computer: MOM Description: Printer Generic / Text Only was set.