Print Spooler is a service that takes care of print management. This includes, but is not limited to, managing printer drivers, scheduling print jobs, etc.

Print Spooler had a critical vulnerability in the past referred to as PrintNightmare (CVE-2021-34527). This vulnerability allowed attackers to execute code with administrator privileges.

The Print Spooler vulnerability was patched promptly, so if you have updated systems, the immediate risk associated with PrintNightmare is no longer present. And for normal systems, it is usually not feasible to disable Print Spooler. It would make printing impossible, which is usually not desirable.

But domain controllers are a critical part of Active Directory and need to be as secure as possible, which means blocking everything that is not needed. And you certainly should not need to print on domain controllers, so it’s a good idea to disable Print Spooler on domain controllers.

Disabling Print Spooler on Domain Controllers

Print Spooler is a service, so we need to disable the service. We can do this locally, but let’s use the example of centrally disabling Print Spooler using Group Policy. Let’s create a new Group Policy Object (GPO) and open the Group Policy editor.

Go to Computer Configuration – Policies – Windows Settings – Security Settings – System Services. Select Print Spooler from the list of services. Select Define this policy setting and select Disabled. This has disabled the service.

We will now disable Print Spooler from receiving incoming requests. Go to Computer Configuration – Policies – Administrative Templates – Printers. Open Allow Print Spooler to accept client connections and set the policy to Disabled.

You can now link the newly created Group Policy Object to the Domain Controllers OU.