To implement spool file security, change the default spool directory to an NTFS partition and directory where write permission is limited on a user-by-user basis.
When a print job prints locally, the local print provider spools the job to disk during processing. By default, the Everyone group has Change permission in the default spool directory. This allows all user print jobs write access to the default spooler directory.
A print job that cannot be spooled to disk during processing does not print. If the spool directory location is changed, all users who need to print must have Change permission for the new spool directory.
As described in the section "Local Print Provider," the spool file (SPL_) and the shadow file (SHD) are written to the default spooler directory: %Winnt\System32\Spool\Printers
For instructions on changing the default spool file directory, see "Local Print Provider" ealier in this chapter.
1. Start the Registry Editor (Regedt32.exe).
2. Find the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Print\Printers
3. Find the key for the printer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Print\<Printername>
4. Add a new SpoolDirectory setting, and as its value provide the path to the spool directory that this printer should use.
Note
You must create a directory for the new spool file location. If you attempt to spool directly to the root (C:\ or D:\, for example) the spool file will revert to the default spool directory.
The change in the Registry takes effect after you stop and restart the Spooler service.