Solved

Script out how to Give local user full permissions to a printer

Posted on 2013-05-28
6
609 Views
Last Modified: 2013-06-29
Situation:
AD domain
I have 1000's of points of sale running windows 2003 under the context of a non-privileged "local" (non-AD) user account, let's call it USER1. Employees using these points of sale have a need to do printer administrative things like delete print jobs. They cannot do this with just their USER1 account.
The local user account is the same across all systems, USER1.
The local printer name is the same across all systems, LABEL.
They cannot be added to the Administrators or Power Users group. I have verified they can do the necessary things if I manually remote to the system and edit the permissions of the LABEL printer to add the USER1 with Full Control. Manually doing this across all systems is not an option. I cannot find a powershell or other way to do this.

I need a remote way to set the necessary permissions for the local user account to be able to manage this printer.

Ideas?
0
Comment
Question by:jasonaluke
  • 3
6 Comments
 
LVL 7

Expert Comment

by:eerwalters
ID: 39203318
You can do this via RDP or various other methods but what needs to happen for User1 to manage the Local LABEL print queue is listed below.

1- Add the Local user User1 to the Local Print Operators group
2- Go into the Print Properties for the LABEL printer
      Then to the Security tab
3- Add the local Print Operators group to have Manage Documents permissions to the LABEL printer.
    (Since you mentioned both, just deleting documents and also full permissions, I opted for the lesser of the two evils in the example because users can initiate lots of trouble calls if they have manage printer permissions)

PrintOpsPermsToPrinter4- Have User1 logout and back into the server


 I used to have some VBscripts for setting printer permissions remotely.  I'll see if I can find them.

 While I am hunting for those, check out the link below which sounds like what you want to do via Powershell.
    http://www.vistax64.com/powershell/206996-set-security-printer-powershell.html
0
 
LVL 2

Author Comment

by:jasonaluke
ID: 39204342
RDP would me the manual way of doing this. I am not doing it manually for 1000's of systems. It must be scripted. I too have read that Russian guy's blog. I can't figure his stuff out yet.
0
 
LVL 2

Accepted Solution

by:
jasonaluke earned 0 total points
ID: 39205514
Ok after much cleanup of the powershell from the Russian guy'g blog, I am getting somewhere, but am stuck on a powershell/WMI issue. This is the function I am trying to get to work.
function  Get-Printer ($Computer  =  ".", $Name) {
      # If the variable $name is empty, it returns a list of all local printers
      if ($name) {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Name = '$name'"}
      else {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Local = '$True'"}
      # declaration of an array of ACL
      $PrinterInfo = @()
      # Extract the ACL of each element of the array of ACL
      foreach ($Printer  in  $Printers) {
        if ($Printer) {
              # in the variable $SD obtain the security descriptor for each printer and each element ACE (DACL) And add $PrinterInfo
              $SD = $Printer.GetSecurityDescriptor()
              $PrinterInfo += $SD.Descriptor.DACL |% {
              $_ | Select @{e = {$Printer.SystemName}; n = 'Computer'},
              @{e = {$Printer.Name}; n =  'Name'}, AccessMask, AceFlags, AceType, @{e = {$_.Trustee.Name}; n =  'User'}, @{e = {$_.Trustee.Domain}; n =  'Domain'}, @{e = {$_.Trustee.SIDString}; n =  'SID'}}}
        else {Write-Warning  "Specified printer not found!"}}
      # Issuing information about ACL output functions for subsequent delivery to the conveyor
      $PrinterInfo} # recording function in the ACL printer. It takes no arguments, # but only receives data from the conveyor

When I run this and point it at a Server 2008 R2 box, it works.
When I run this and point it at a Server 2003 R2 box, it fails with
Method invocation failed because [System.Management.ManagementObject] doesn't contain a method named 'GetSecurityDescriptor'.
At C:\Users\me\PrinterUtils.ps1:22 char:15
+               $SD = $Printer.GetSecurityDescriptor()
0
 
LVL 2

Assisted Solution

by:jasonaluke
jasonaluke earned 0 total points
ID: 39205862
Update: Found out why the above script fails in 2003 R2.
The updates to WMI were significant between 2003/XP and 2008/Win7.  The error is literal – it doesn’t exist.  I looked it up on MSDN and it says 2008 is the minimum.
http://msdn.microsoft.com/en-us/library/aa390778
http://msdn.microsoft.com/en-us/library/aa394363

So this method isn’t going to work if I want to support 2003 servers.  The internal changes between 2003 and 2008 are massive for WMI and PowerShell.  

So, back to square one I guess.
0
 
LVL 38

Expert Comment

by:hdhondt
ID: 39286433
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
USB Error 20 145
ScanSnap S1500 with MS Surface Pro 7 102
Need Continuous Ink Supply System for Epson WF-7610 3 71
need help finding HP Scanjet 4890 full software download 16 48
This seems to be a very common error related to the Samsung printer driver. First, this is the error we're talking about: Log: System Type: Error Event: 7000 Agent Time: 3:37:24 am 22-Apr-09 Event Time: 6:07:24 pm 21-Apr-09 UTC Source: Se…
Printers have changed substantially in the last 30 or so years, not just in technical capabilities but in cost and usage as well.  Printers were originally used for interfacing with the operator, not necessarily for printing copy or pictures. In …
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now