Although native Macintosh networking imposes security on files, it does not impose security on print devices: if a Macintosh client is physically able to send a job to a print device or print server, then that client implicitly has permission to do so. Because of this, the AppleTalk protocol has no mechanism to let clients supply a user name or password. Because the clients cannot identify themselves to the server, Windows NT cannot impose user-level security on Macintosh clients.
You can, however, enforce one set of printer permissions on all Macintosh users as a group. The MacPrint service must always log on, using a user account, to do its work. By default, it logs on as the System account. This account has Print permission on all local print devices, so by default any Macintosh client can send a job to any of the Windows NT computer's local printers. If you want Macintosh clients to have a different set of permissions, create a new user account and give this user account the printer permissions you want Macintosh users to have. Then set the MacPrint service to log on using this account. To do this, use the Services icon in Control Panel. Select Print Services for Macintosh from the list and choose the Startup button. Then choose the This Account button and type the name of the user account you created in the box.
Note that the System account on one computer does not have permission to access other computers' resources. This means that if MacPrint logs on as System, Macintosh users cannot send jobs to printers which forward jobs to other print servers. The solution is to configure MacPrint to log on as another user, one who has permission to print on all the print servers that jobs are forwarded to.