As a network administrator, you move a shared printer object from your company's Marketing organizational unit (OU) to the Research OU in Active Directory. After the move, you test the printer and discover that the local administrator associated with the Marketing OU still has permissions to manage the printer and can remove print jobs. What should you do to remove this access while keeping the printer available?

Introduction / Context:
When you publish printers in Active Directory and delegate permissions, security descriptors follow the printer object even if it is moved between organizational units. Moving a printer from one OU to another does not automatically strip previously granted permissions. This question tests your understanding of how printer security works and how to correctly remove unwanted access while keeping the printer usable for authorized users.

Given Data / Assumptions:

• The environment uses Active Directory with separate Marketing and Research OUs.
• A shared printer was moved from the Marketing OU to the Research OU.
• A local administrator from Marketing still has permission to manage print jobs on that printer.
• You want to revoke that administrator's access without deleting or recreating the printer.

Concept / Approach:
Printer permissions are defined in the printer's discretionary access control list (DACL). Moving the object between OUs does not change the DACL; it only changes the printer's location in the directory. To change who can manage print jobs, you must directly edit the printer's security settings. Removing or modifying ACEs (access control entries) for specific users or groups is the correct way to fine tune permissions. Deleting the printer or removing Everyone is unnecessary and can cause additional problems.

Step-by-Step Solution:
1. Recognize that the Marketing administrator still has access because their permissions are stored on the printer object itself, not on the OU. 2. Open the printer's properties and navigate to the Security tab to view the list of users and groups with permissions. 3. Locate the entry that grants the local Marketing administrator permission to manage documents or administer the printer. 4. Remove that specific ACE or change the permissions so that the Marketing administrator no longer has rights to manage print jobs. 5. Verify that Research users still have the appropriate permissions and that the printer continues to function normally.

Verification / Alternative check:
After modifying the printer's security, you can log on as the Marketing administrator and attempt to manage the printer. If the permissions have been removed correctly, the administrator should no longer be able to delete or manipulate print jobs, while authorized users from Research maintain their access. This confirms that adjusting the DACL on the printer object is the correct solution.

Why Other Options Are Wrong:
Option b is too broad and imprecise; simply removing permissions from a local administrators group in an OU does not directly change the printer's DACL and may not even be technically meaningful. Option c, removing the Everyone group, does not specifically address the Marketing administrator's rights and may unnecessarily restrict printing for normal users. Option d (deleting and recreating the printer) is disruptive and unnecessary; it also risks misconfigurations and downtime, whereas a simple permission change solves the problem cleanly.

Common Pitfalls:
Administrators sometimes assume that moving an object between OUs automatically resets its security, which is not true for most resource objects. Another pitfall is making drastic changes such as deleting a printer when a simple DACL edit would suffice. Understanding that permissions live with the object helps you choose the least disruptive fix.

Final Answer:
You should open the printer's security settings and explicitly remove the local Marketing administrator's permissions from the printer object.