Solved

Script out how to Give local user full permissions to a printer

Posted on 2013-05-28
6
607 Views
Last Modified: 2013-06-29
Situation:
AD domain
I have 1000's of points of sale running windows 2003 under the context of a non-privileged "local" (non-AD) user account, let's call it USER1. Employees using these points of sale have a need to do printer administrative things like delete print jobs. They cannot do this with just their USER1 account.
The local user account is the same across all systems, USER1.
The local printer name is the same across all systems, LABEL.
They cannot be added to the Administrators or Power Users group. I have verified they can do the necessary things if I manually remote to the system and edit the permissions of the LABEL printer to add the USER1 with Full Control. Manually doing this across all systems is not an option. I cannot find a powershell or other way to do this.

I need a remote way to set the necessary permissions for the local user account to be able to manage this printer.

Ideas?
0
Comment
Question by:jasonaluke
  • 3
6 Comments
 
LVL 7

Expert Comment

by:eerwalters
Comment Utility
You can do this via RDP or various other methods but what needs to happen for User1 to manage the Local LABEL print queue is listed below.

1- Add the Local user User1 to the Local Print Operators group
2- Go into the Print Properties for the LABEL printer
      Then to the Security tab
3- Add the local Print Operators group to have Manage Documents permissions to the LABEL printer.
    (Since you mentioned both, just deleting documents and also full permissions, I opted for the lesser of the two evils in the example because users can initiate lots of trouble calls if they have manage printer permissions)

PrintOpsPermsToPrinter4- Have User1 logout and back into the server


 I used to have some VBscripts for setting printer permissions remotely.  I'll see if I can find them.

 While I am hunting for those, check out the link below which sounds like what you want to do via Powershell.
    http://www.vistax64.com/powershell/206996-set-security-printer-powershell.html
0
 
LVL 2

Author Comment

by:jasonaluke
Comment Utility
RDP would me the manual way of doing this. I am not doing it manually for 1000's of systems. It must be scripted. I too have read that Russian guy's blog. I can't figure his stuff out yet.
0
 
LVL 2

Accepted Solution

by:
jasonaluke earned 0 total points
Comment Utility
Ok after much cleanup of the powershell from the Russian guy'g blog, I am getting somewhere, but am stuck on a powershell/WMI issue. This is the function I am trying to get to work.
function  Get-Printer ($Computer  =  ".", $Name) {
      # If the variable $name is empty, it returns a list of all local printers
      if ($name) {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Name = '$name'"}
      else {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Local = '$True'"}
      # declaration of an array of ACL
      $PrinterInfo = @()
      # Extract the ACL of each element of the array of ACL
      foreach ($Printer  in  $Printers) {
        if ($Printer) {
              # in the variable $SD obtain the security descriptor for each printer and each element ACE (DACL) And add $PrinterInfo
              $SD = $Printer.GetSecurityDescriptor()
              $PrinterInfo += $SD.Descriptor.DACL |% {
              $_ | Select @{e = {$Printer.SystemName}; n = 'Computer'},
              @{e = {$Printer.Name}; n =  'Name'}, AccessMask, AceFlags, AceType, @{e = {$_.Trustee.Name}; n =  'User'}, @{e = {$_.Trustee.Domain}; n =  'Domain'}, @{e = {$_.Trustee.SIDString}; n =  'SID'}}}
        else {Write-Warning  "Specified printer not found!"}}
      # Issuing information about ACL output functions for subsequent delivery to the conveyor
      $PrinterInfo} # recording function in the ACL printer. It takes no arguments, # but only receives data from the conveyor

When I run this and point it at a Server 2008 R2 box, it works.
When I run this and point it at a Server 2003 R2 box, it fails with
Method invocation failed because [System.Management.ManagementObject] doesn't contain a method named 'GetSecurityDescriptor'.
At C:\Users\me\PrinterUtils.ps1:22 char:15
+               $SD = $Printer.GetSecurityDescriptor()
0
 
LVL 2

Assisted Solution

by:jasonaluke
jasonaluke earned 0 total points
Comment Utility
Update: Found out why the above script fails in 2003 R2.
The updates to WMI were significant between 2003/XP and 2008/Win7.  The error is literal – it doesn’t exist.  I looked it up on MSDN and it says 2008 is the minimum.
http://msdn.microsoft.com/en-us/library/aa390778
http://msdn.microsoft.com/en-us/library/aa394363

So this method isn’t going to work if I want to support 2003 servers.  The internal changes between 2003 and 2008 are massive for WMI and PowerShell.  

So, back to square one I guess.
0
 
LVL 38

Expert Comment

by:Herman D'Hondt
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

If you use a Brother DCP 130C or similar Brother printer, at some point you might encounter the following problem: after you change the ink cartridge, the printer displays an "ink empty" message. Sometimes you just need to follow the instructions…
When I recently replaced my image transfer kit on my office HP color laserjet 5550dn printer, I had a slight problem.  The left bracket that holds the transfer kit got stuck in the upright locked position instead of being at a 45 degree angle facing…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now