Domain Controller Print Spooler: PrintNightmare's Way In
On Windows Server Domain Controllers, the Print Spooler service stays active by default, leaving MS-RPRN and MS-PAR RPC interfaces reachable by any authenticated domain account. A single RpcAddPrinterDriverEx call can load an arbitrary SYSTEM-context DLL, and because SYSTEM on a DC owns NTDS.dit and krbtgt material, network segmentation and endpoint tooling rarely intercept the exploit before it reaches the domain's trust anchor.
At a glance
- Unsafe setting
- Print Spooler service left at default Automatic startup on Domain Controllers.
- Failure trigger
- An authenticated domain user calls RpcAddPrinterDriverEx against the DC's exposed spooler RPC interface.
- Blast radius
- SYSTEM-level code execution on a Domain Controller grants DCSync rights over every krbtgt and machine account hash in the forest.
- Recommended control
- Disable and GPO-enforce the Print Spooler service on all Domain Controllers and remove the Print Server role where unused.
The Trap
The Print Spooler service (spoolsv.exe) running by default on Windows Server Domain Controllers, leaving the RpcAddPrinterDriverEx and RpcAsyncAddPrinterDriver interfaces exposed to any authenticated domain user via MS-RPRN and MS-PAR RPC calls.
The Default State
Windows Server ships with the Print Spooler service set to Automatic startup on every server role, including Domain Controllers promoted from a base image. The Print and Document Services role is often installed opportunistically to serve one departmental printer, and nobody revisits the DC afterwards. Group Policy baselines shipped in most AD estates never touch the Spooler service state, so the vendor default — enabled, listening on \pipe\spoolss — persists indefinitely across every DC in the forest, including read-only domain controllers.
The Blast Radius
CVE-2021-34527 (PrintNightmare) and its variants let any authenticated user, including a low-privilege domain account with no local admin rights, call RpcAddPrinterDriverEx against a DC’s spooler and load an arbitrary DLL as SYSTEM. Because a DC’s SYSTEM context holds the NTDS database and Kerberos ticket-granting keys, one RPC call converts a standard user session into full Domain Admin equivalence in a single hop. The exploit needs no interactive logon, no SMB relay, and no prior lateral movement — a crafted request against the RPC endpoint mapper is sufficient. Once one DC is compromised, DCSync rights inherited by SYSTEM allow extraction of every krbtgt and machine account hash, collapsing the trust boundary for the entire forest, not just the affected server.
The Lead Mechanic Fix
Disable and stop the Print Spooler service on every Domain Controller, enforced through Group Policy rather than manual intervention: set Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler to “Disabled”, linked to an OU containing only DC accounts. Confirm with Get-Service -Name Spooler -ComputerName $DC | Select Status,StartType across the full DC list, and remove the role entirely with Uninstall-WindowsFeature Print-Server where no DC legitimately hosts print queues. Where print services must remain on a member server, isolate it outside Tier 0 and apply the RpcAuthnLevelPrivacyEnabled=1 registry mitigation as a compensating control, never as a substitute for disabling the service on Domain Controllers.
Apply the safer control
Before you change production
Confirm the affected scope, export the current configuration, and test the replacement control in a non-production environment first.
Fix commands and configuration
Get-Service -Name Spooler -ComputerName $DC | Select Status,StartTypeUninstall-WindowsFeature Print-ServerVerify, roll back or escalate
Verify
Re-run the detection test and a controlled negative-path test. Confirm the unsafe behaviour is blocked while approved traffic still succeeds.
Rollback
Restore the exported configuration if the new control blocks required production traffic, then narrow the policy before redeployment.
Escalate
Escalate when the blast radius is uncertain, the control cannot be tested safely, or remediation requires an outage or security exception.