Is it possible to grant "Manage Printers" permissions to all printer objects on client machines via group policy? By default, it looks like this permission is granted to Power Users and Administrators. I'd like to grant it to a specific security group in the domain.
In this case the printers are installed locally (well, some are network printers, but they're not managed..drivers are installed directly on clients).
Yes, with a startup script.
setprinter.exe, included with the Windows 2003 resource kit. You can use:
setprinter.exe 3 "pSecurityDescriptor=xxxxxxxxxx"
You would need to loop through all of the installed printers, and apply the new ACL. This would assume you could use the same ACL for all printers on all workstations. This may not be a problem as most people don't use custom security on local printers.
"pSecurityDescriptor= is in SDDL form. Use setprinter -examples 3 to get more info.
Set a printer with the security the way you want it, the use setprinter -show printerName 3 to get the text of how the SDDL should be applied.
This is what the command and SDDL looks like when Everyone has Manage Printers and all the other permissions are generic defaults:
setprinter.exe 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"
All of that must be on one line.
Here is some PowerShell code that lists the printers:
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{$_.Name}
so the command to do the work would be
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{setprinter.exe $_.Name 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"}
Again, that must be all one line.
