6

I have a Windows 2008 R2 server with Terminal server role installed. I'm seeing a problem with an ordinary user who is member of local printer operators group on the server.

If the user opens a cmd window using ‘run as administrator’ they can run printmanager.msc without needing to enter their password again. In printmanager they can change the ownership of redirected (easy print) printers without problems.

If, from the same cmd window, they use subinacl to try and change the onwership of the queue to themselves they get access denied:

>subinacl.exe /printer "_#MyPrinter (2 redirected)" /setowner="MyDom\MyUsr"
Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        1, Syntax errors        0
Last Done  : _#MyPrinter (2 redirected)
Last Failed: _#MyPrinter (2 redirected) - OpenPrinter Error : 5 Access denied

so, same context, same action but one works and one doesn't. Any ideas for this odd behaviour?

I'm using subinacl x86 on an x64 server as I can't find anything more up to date. I've tried with icacls and others but couldn't get them to do anything with printers.

EDIT: added after Gregs comments regarding setacl below

If I log into the TS server as Testusr and open Admin Tools > Printer Admin (as administrator) and then type mydomain\testusr and the testusr's password, then I can change the ownership of the printer queue and set testusr as the owner.

However if I open cmd as administrator and, again, type mydomain\testusr and the users password when I try to change the ownership of my redirected printer I get the following:

C:\>setacl -on "Bullzip PDF Printer (12 redireccionado)" -ot prn -actn setowner -ownr n:mydom\testusr

WARNING: Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted.
WARNING: Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted.
INFORMATION: Processing ACL of: <Bullzip PDF Printer (12 redireccionado)>
ERROR: Enabling the privilege SeTakeOwnershipPrivilege failed with: No todos los privilegios o grupos a los que se hace referencia son asignados al llamador.
 [meaning not all referenced privs or groups are assigned to the caller]

SetACL finished with error(s):
SetACL error message: A privilege could not be enabled

maybe I'm getting something wrong but if the built in windows tool can do it with just membership of the 'print operators' group then setacl should be able to as well, no?

However setacl seems to depend on other privileges, which in reality are not required to do this.

Ian Murphy
  • 1,329
  • 4
  • 19
  • 29

2 Answers2

1

Windows normally will not users to change ownership of any object to anything other than Administrators (or themselves if they have the take ownership permission on the object), unless they are an Administrator or they have some special Windows User Rights (which you should not confer).

I would speculate that the seven year old x86 version of subinacl.exe is not working correctly with the security token in the elevated process.

A couple of suggestions:

Try using the updated version of subinacl, 5.2.3790.1180, available at:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b

Try using the free SetAcl.exe utility. This is the swiss-army kitchen sink of permissions management tools, and includes an x64 build. This is an active project and includes many features lacking in the Microsoft utilities.

http://helgeklein.com/setacl/

Documentation:

http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
http://helgeklein.com/setacl/examples/managing-printer-service-and-share-permissions-with-setacl-exe/

Example usage:

setacl -on "Printer Name" -ot prn -actn setowner -ownr n:domainNetbiosName\userName
Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • I thought I had been using the latest version of subinacl, but its possible that I wasn't. I'll give it a try. SetACL doesn't work on printers. I get the impression that printer queues have a different acl model to the rest of windows resources. Even using the win32 api I haven't managed to modify the security. I'd sort of abandoned this problem but I'll have to attack it again soon. – Ian Murphy Apr 11 '11 at 08:21
  • Actually SetAcl does support printers. I added a sample to the answer to show how. – Greg Askew Apr 11 '11 at 11:31
  • just added an edit regarding setacl. I had tried it but I had an older version, so I've tried it again with the latest - no luck. – Ian Murphy Apr 15 '11 at 16:53
  • Just been looking through the setacl forum on sourceforge and I found a posting I made several months ago regarding this problem. There was never any response to my posting – Ian Murphy Apr 15 '11 at 17:03
0

Maybe you can set the security with the setprinter tool (setprinter -examples 3).SetPrinter is for 2003 but also works on 2008 R2.

Guido van Brakel
  • 942
  • 5
  • 10