Skip to main content
KBY Technologies Logo
cd ../config-traps
risk/register/domain-controller-print-spooler-printnightmares-way-in.html
Active Directory Domain Controller Hardeningcritical severityActive Directory

Domain Controller Print Spooler: PrintNightmare's Way In

Severity
critical
Reviewed
18 Jul 2026
Remediation
~20 minutes
Overview

On Windows Server Domain Controllers, the Print Spooler service stays active by default, leaving MS-RPRN and MS-PAR RPC interfaces reachable by any authenticated domain account. A single RpcAddPrinterDriverEx call can load an arbitrary SYSTEM-context DLL, and because SYSTEM on a DC owns NTDS.dit and krbtgt material, network segmentation and endpoint tooling rarely intercept the exploit before it reaches the domain's trust anchor.

At a glance

Unsafe setting
Print Spooler service left at default Automatic startup on Domain Controllers.
Failure trigger
An authenticated domain user calls RpcAddPrinterDriverEx against the DC's exposed spooler RPC interface.
Blast radius
SYSTEM-level code execution on a Domain Controller grants DCSync rights over every krbtgt and machine account hash in the forest.
Recommended control
Disable and GPO-enforce the Print Spooler service on all Domain Controllers and remove the Print Server role where unused.

The Trap

The Print Spooler service (spoolsv.exe) running by default on Windows Server Domain Controllers, leaving the RpcAddPrinterDriverEx and RpcAsyncAddPrinterDriver interfaces exposed to any authenticated domain user via MS-RPRN and MS-PAR RPC calls.

The Default State

Windows Server ships with the Print Spooler service set to Automatic startup on every server role, including Domain Controllers promoted from a base image. The Print and Document Services role is often installed opportunistically to serve one departmental printer, and nobody revisits the DC afterwards. Group Policy baselines shipped in most AD estates never touch the Spooler service state, so the vendor default — enabled, listening on \pipe\spoolss — persists indefinitely across every DC in the forest, including read-only domain controllers.

The Blast Radius

CVE-2021-34527 (PrintNightmare) and its variants let any authenticated user, including a low-privilege domain account with no local admin rights, call RpcAddPrinterDriverEx against a DC’s spooler and load an arbitrary DLL as SYSTEM. Because a DC’s SYSTEM context holds the NTDS database and Kerberos ticket-granting keys, one RPC call converts a standard user session into full Domain Admin equivalence in a single hop. The exploit needs no interactive logon, no SMB relay, and no prior lateral movement — a crafted request against the RPC endpoint mapper is sufficient. Once one DC is compromised, DCSync rights inherited by SYSTEM allow extraction of every krbtgt and machine account hash, collapsing the trust boundary for the entire forest, not just the affected server.

The Lead Mechanic Fix

Disable and stop the Print Spooler service on every Domain Controller, enforced through Group Policy rather than manual intervention: set Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler to “Disabled”, linked to an OU containing only DC accounts. Confirm with Get-Service -Name Spooler -ComputerName $DC | Select Status,StartType across the full DC list, and remove the role entirely with Uninstall-WindowsFeature Print-Server where no DC legitimately hosts print queues. Where print services must remain on a member server, isolate it outside Tier 0 and apply the RpcAuthnLevelPrivacyEnabled=1 registry mitigation as a compensating control, never as a substitute for disabling the service on Domain Controllers.

03

Apply the safer control

Before you change production

Confirm the affected scope, export the current configuration, and test the replacement control in a non-production environment first.

Fix commands and configuration

Get-Service -Name Spooler -ComputerName $DC | Select Status,StartType
Uninstall-WindowsFeature Print-Server
04

Verify, roll back or escalate

Verify

Re-run the detection test and a controlled negative-path test. Confirm the unsafe behaviour is blocked while approved traffic still succeeds.

Rollback

Restore the exported configuration if the new control blocks required production traffic, then narrow the policy before redeployment.

Escalate

Escalate when the blast radius is uncertain, the control cannot be tested safely, or remediation requires an outage or security exception.

After remediation

Further reading stays below the corrective workflow and is selected by platform, category and shared technical keywords.

Domain Controller Print Spooler: PrintNightmare's Way In | Config Traps