Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Script out how to Give local user full permissions to a printer

Situation:
AD domain
I have 1000's of points of sale running windows 2003 under the context of a non-privileged "local" (non-AD) user account, let's call it USER1. Employees using these points of sale have a need to do printer administrative things like delete print jobs. They cannot do this with just their USER1 account.
The local user account is the same across all systems, USER1.
The local printer name is the same across all systems, LABEL.
They cannot be added to the Administrators or Power Users group. I have verified they can do the necessary things if I manually remote to the system and edit the permissions of the LABEL printer to add the USER1 with Full Control. Manually doing this across all systems is not an option. I cannot find a powershell or other way to do this.

I need a remote way to set the necessary permissions for the local user account to be able to manage this printer.

Ideas?
1
jasonaluke
Asked:
jasonaluke
  • 3
2 Solutions
 
eerwaltersCommented:
You can do this via RDP or various other methods but what needs to happen for User1 to manage the Local LABEL print queue is listed below.

1- Add the Local user User1 to the Local Print Operators group
2- Go into the Print Properties for the LABEL printer
      Then to the Security tab
3- Add the local Print Operators group to have Manage Documents permissions to the LABEL printer.
    (Since you mentioned both, just deleting documents and also full permissions, I opted for the lesser of the two evils in the example because users can initiate lots of trouble calls if they have manage printer permissions)

PrintOpsPermsToPrinter4- Have User1 logout and back into the server


 I used to have some VBscripts for setting printer permissions remotely.  I'll see if I can find them.

 While I am hunting for those, check out the link below which sounds like what you want to do via Powershell.
    http://www.vistax64.com/powershell/206996-set-security-printer-powershell.html
1
 
jasonalukeAuthor Commented:
RDP would me the manual way of doing this. I am not doing it manually for 1000's of systems. It must be scripted. I too have read that Russian guy's blog. I can't figure his stuff out yet.
0
 
jasonalukeAuthor Commented:
Ok after much cleanup of the powershell from the Russian guy'g blog, I am getting somewhere, but am stuck on a powershell/WMI issue. This is the function I am trying to get to work.
function  Get-Printer ($Computer  =  ".", $Name) {
      # If the variable $name is empty, it returns a list of all local printers
      if ($name) {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Name = '$name'"}
      else {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Local = '$True'"}
      # declaration of an array of ACL
      $PrinterInfo = @()
      # Extract the ACL of each element of the array of ACL
      foreach ($Printer  in  $Printers) {
        if ($Printer) {
              # in the variable $SD obtain the security descriptor for each printer and each element ACE (DACL) And add $PrinterInfo
              $SD = $Printer.GetSecurityDescriptor()
              $PrinterInfo += $SD.Descriptor.DACL |% {
              $_ | Select @{e = {$Printer.SystemName}; n = 'Computer'},
              @{e = {$Printer.Name}; n =  'Name'}, AccessMask, AceFlags, AceType, @{e = {$_.Trustee.Name}; n =  'User'}, @{e = {$_.Trustee.Domain}; n =  'Domain'}, @{e = {$_.Trustee.SIDString}; n =  'SID'}}}
        else {Write-Warning  "Specified printer not found!"}}
      # Issuing information about ACL output functions for subsequent delivery to the conveyor
      $PrinterInfo} # recording function in the ACL printer. It takes no arguments, # but only receives data from the conveyor

When I run this and point it at a Server 2008 R2 box, it works.
When I run this and point it at a Server 2003 R2 box, it fails with
Method invocation failed because [System.Management.ManagementObject] doesn't contain a method named 'GetSecurityDescriptor'.
At C:\Users\me\PrinterUtils.ps1:22 char:15
+               $SD = $Printer.GetSecurityDescriptor()
1
 
jasonalukeAuthor Commented:
Update: Found out why the above script fails in 2003 R2.
The updates to WMI were significant between 2003/XP and 2008/Win7.  The error is literal – it doesn’t exist.  I looked it up on MSDN and it says 2008 is the minimum.
http://msdn.microsoft.com/en-us/library/aa390778
http://msdn.microsoft.com/en-us/library/aa394363

So this method isn’t going to work if I want to support 2003 servers.  The internal changes between 2003 and 2008 are massive for WMI and PowerShell.  

So, back to square one I guess.
0
 
hdhondtCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now