Solved

subinacl command - modify the everyone group on W2k3 print cluster

Posted on 2009-05-19
7
929 Views
Last Modified: 2012-05-07
To be able to change the everyone group on all printers in the cluster  to have only the ability to  "manage" print documents......

Anyone have a script.....or any advice....
0
Comment
Question by:mjm21
  • 5
  • 2
7 Comments
 
LVL 22

Assisted Solution

by:65td
65td earned 40 total points
ID: 24431615
Depending on the scripting used, one needs to collect the printer share information.

Then I run a bat file that uses the following:

 for /F "tokens=1*" %%a in (prt.txt) do call setprtacl.cmd %%a

Which calls a .cmd file:

REM *** print-server-name area

date /t >>C:\log\log-file.log
echo. >>C:\log\log-file.log
time /t >>C:\log\log-file.log
echo. >>C:\log\log-file.log

REM *** Set owner printer to domain\prt-svr-ctrl group

 subinacl /printer \\print-server-name\%1 /setowner="domain\prt-svr-ctrl">>C:\log\log-file.log
 
 REM *** Add print control group

 subinacl /printer \\print-server-name\%1 /Grant="domain\prt-svr-ctrl"=F >>C:\log\log-file.log

REM *** Revoke section -  ***

 subinacl /printer \\print-server-name\%1 /Revoke="Administrators" >>C:\log\log-file.log

 subinacl /printer \\print-server-name\%1 /Revoke="Power Users" >>C:\log\log-file.log

 subinacl /printer \\print-server-name\%1 /Revoke="Everyone" >>C:\log\log-file.log

REM  *** Add and Modify permissions section

REM *** Modify Administrators permissions from Full to print

 subinacl /printer \\print-server-name\%1 /Grant="Administrators"=P >>C:\log\log-file.log

REM *** Modify Power Users and Users permissions from Full to print

 subinacl /printer \\print-server-name\%1 /Grant="Power Users"=P >>C:\log\log-file.log
 
 subinacl /printer \\print-server-name\%1 /Grant="Users"=P >>C:\log\log-file.log

 subinacl /printer \\print-server-name\%1 /Grant="Print Operators"=F >>C:\log\log-file.log

REM *** Set permissions for PrintQueueOperators global group
 subinacl /printer \\print-server-name\%1 /Grant="PrintQueueOperators"=M >>C:\log\log-file.log

REM **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  

date /t >>C:\log\log-file.log
echo. >>C:\log\log-file.log
time /t >>C:\log\log-file.log
echo. >>C:\log\log-file.log
ren C:\log\log-file.log *.txt


For the everyone group one would do this:
subinacl /printer \\print-server-name\%1 /Grant="Everyone"=M >>C:\log\log-file.log

I do not like using the everyone group but that's me.
0
 

Author Comment

by:mjm21
ID: 24436924
Thanks, but please Modify your batch file w/out all of the other stuff.....I am not revoking anything ...just adding the "modify documents" for the existing everyone's group....
0
 
LVL 22

Assisted Solution

by:65td
65td earned 40 total points
ID: 24440923
To modify the everyone group the way you want just run:

The batch with tokens line to call the batch with the .cmd with the line below only.

subinacl /printer \\print-server-name\%1 /Grant="Everyone"=M >>C:\log\log-file.log
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:mjm21
ID: 24442075
Ok will try
0
 

Accepted Solution

by:
mjm21 earned 0 total points
ID: 24486868
The Set ACL command actually worked very well and very fast.

c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:man_docs"
c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:print"
 
0
 

Author Comment

by:mjm21
ID: 24486886
The Set ACL command actually worked very well and very fast.

c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:man_docs"
c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:print"
0
 

Author Comment

by:mjm21
ID: 24486888
The Set ACL command actually worked very well and very fast.

c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:man_docs"
c:\setacl.exe -on "\\printclustername\%print%" -ot prn -actn ace -ace "n:everyone;p:print"
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now