Solved

Script out how to Give local user full permissions to a printer

Posted on 2013-05-28
6
641 Views
1 Endorsement
Last Modified: 2013-06-29
Situation:
AD domain
I have 1000's of points of sale running windows 2003 under the context of a non-privileged "local" (non-AD) user account, let's call it USER1. Employees using these points of sale have a need to do printer administrative things like delete print jobs. They cannot do this with just their USER1 account.
The local user account is the same across all systems, USER1.
The local printer name is the same across all systems, LABEL.
They cannot be added to the Administrators or Power Users group. I have verified they can do the necessary things if I manually remote to the system and edit the permissions of the LABEL printer to add the USER1 with Full Control. Manually doing this across all systems is not an option. I cannot find a powershell or other way to do this.

I need a remote way to set the necessary permissions for the local user account to be able to manage this printer.

Ideas?
1
Comment
Question by:jasonaluke
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 7

Expert Comment

by:eerwalters
ID: 39203318
You can do this via RDP or various other methods but what needs to happen for User1 to manage the Local LABEL print queue is listed below.

1- Add the Local user User1 to the Local Print Operators group
2- Go into the Print Properties for the LABEL printer
      Then to the Security tab
3- Add the local Print Operators group to have Manage Documents permissions to the LABEL printer.
    (Since you mentioned both, just deleting documents and also full permissions, I opted for the lesser of the two evils in the example because users can initiate lots of trouble calls if they have manage printer permissions)

PrintOpsPermsToPrinter4- Have User1 logout and back into the server


 I used to have some VBscripts for setting printer permissions remotely.  I'll see if I can find them.

 While I am hunting for those, check out the link below which sounds like what you want to do via Powershell.
    http://www.vistax64.com/powershell/206996-set-security-printer-powershell.html
1
 
LVL 2

Author Comment

by:jasonaluke
ID: 39204342
RDP would me the manual way of doing this. I am not doing it manually for 1000's of systems. It must be scripted. I too have read that Russian guy's blog. I can't figure his stuff out yet.
0
 
LVL 2

Accepted Solution

by:
jasonaluke earned 0 total points
ID: 39205514
Ok after much cleanup of the powershell from the Russian guy'g blog, I am getting somewhere, but am stuck on a powershell/WMI issue. This is the function I am trying to get to work.
function  Get-Printer ($Computer  =  ".", $Name) {
      # If the variable $name is empty, it returns a list of all local printers
      if ($name) {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Name = '$name'"}
      else {
        $Printers  =  gwmi  Win32_Printer  -ComputerName  $Computer  -Filter  "Local = '$True'"}
      # declaration of an array of ACL
      $PrinterInfo = @()
      # Extract the ACL of each element of the array of ACL
      foreach ($Printer  in  $Printers) {
        if ($Printer) {
              # in the variable $SD obtain the security descriptor for each printer and each element ACE (DACL) And add $PrinterInfo
              $SD = $Printer.GetSecurityDescriptor()
              $PrinterInfo += $SD.Descriptor.DACL |% {
              $_ | Select @{e = {$Printer.SystemName}; n = 'Computer'},
              @{e = {$Printer.Name}; n =  'Name'}, AccessMask, AceFlags, AceType, @{e = {$_.Trustee.Name}; n =  'User'}, @{e = {$_.Trustee.Domain}; n =  'Domain'}, @{e = {$_.Trustee.SIDString}; n =  'SID'}}}
        else {Write-Warning  "Specified printer not found!"}}
      # Issuing information about ACL output functions for subsequent delivery to the conveyor
      $PrinterInfo} # recording function in the ACL printer. It takes no arguments, # but only receives data from the conveyor

When I run this and point it at a Server 2008 R2 box, it works.
When I run this and point it at a Server 2003 R2 box, it fails with
Method invocation failed because [System.Management.ManagementObject] doesn't contain a method named 'GetSecurityDescriptor'.
At C:\Users\me\PrinterUtils.ps1:22 char:15
+               $SD = $Printer.GetSecurityDescriptor()
1
 
LVL 2

Assisted Solution

by:jasonaluke
jasonaluke earned 0 total points
ID: 39205862
Update: Found out why the above script fails in 2003 R2.
The updates to WMI were significant between 2003/XP and 2008/Win7.  The error is literal – it doesn’t exist.  I looked it up on MSDN and it says 2008 is the minimum.
http://msdn.microsoft.com/en-us/library/aa390778
http://msdn.microsoft.com/en-us/library/aa394363

So this method isn’t going to work if I want to support 2003 servers.  The internal changes between 2003 and 2008 are massive for WMI and PowerShell.  

So, back to square one I guess.
0
 
LVL 38

Expert Comment

by:hdhondt
ID: 39286433
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Save Excel documents to PDF and RETAIN color 16 590
LaserJet 4250 5 58
Running cost per page (excluding the cost of the paper) 3 73
Print from iPhone 6 18
How to solve seemingly unsolvable printer issues. Users sometimes run into printing issues where all the normal steps do not seem to work. Well the steps below can show users how to take one extra step beyond the normal steps needed to remove old…
This seems to be a very common error related to the Samsung printer driver. First, this is the error we're talking about: Log: System Type: Error Event: 7000 Agent Time: 3:37:24 am 22-Apr-09 Event Time: 6:07:24 pm 21-Apr-09 UTC Source: Se…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question