Change printer group permission with script?

1

1

How do i change the user group "everyone" permissions on a local printer using a script? I've been digging around and something's telling me to use ACL using powershell?

Isaac F

Posted 2017-01-19T13:26:16.067

Reputation: 33

Answers

1

Please see the below resources and quoted steps for detail on setting printer permissions via command line in Windows (both PowerShell and Batch).

Batch modify printer permissions

If you want to do it with a comand line tool, get subinacl from the Resource Kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

subinacl /printer <\printer name> /grant=Everyone=F

or by modifying Steve's script:

for /f %a in ('net share ^| find "Spooled"') do subinacl /printer %a /grant=Everyone=F

source

PowerShell - Add Printer Permission

Windows Server 2012 comes with the PrintManagement module, which makes automation Management of Printers easier. But testing cmdlets like Add-Printer and Set-Printer I noticed that you can set Printer Permission only using the Parameter -PermissionSDDL . These Parameters in both cmdlets expect Printer Permission using Security Definition Description Language (SDDL) which is not what you can type on the command line that easy.

Function Add-LHSPrinterPermissionSDDL 
{ 

[cmdletbinding(   
    ConfirmImpact = 'Low', 
    SupportsShouldProcess = $false 
)]   

[OutputType('System.String')] 

param( 
    [Parameter(Position=0,Mandatory=$True,ValueFromPipeline=$False, 
        HelpMessage='A Security Group or User like "Domain\GroupName" or "Domain\UserName"')] 
    [String]$Account, 

    [Parameter(Position=1,Mandatory=$True,ValueFromPipeline=$False)] 
    [String]$existingSDDL 
) 

BEGIN { 

    Set-StrictMode -Version Latest 

    ${CmdletName} = $Pscmdlet.MyInvocation.MyCommand.Name 


} # end BEGIN 

PROCESS { 

    try  
    { 
        $isContainer = $false 
        $isDS = $false 
        $SecurityDescriptor = New-Object -TypeName ` 
            Security.AccessControl.CommonSecurityDescriptor ` 
            $isContainer, $isDS, $existingSDDL 

        Write-Verbose "Adding Permission for Group $Account" 
        #get the SID for the specified Group and add it to the SDDL 
        $NTAccount = New-Object Security.Principal.NTAccount $Account 
        $NTAccountSid = $NTAccount.Translate([Security.Principal.SecurityIdentifier]).Value 

        $SecurityDescriptor.DiscretionaryAcl.AddAccess( 
            [System.Security.AccessControl.AccessControlType]::Allow, 
            $NTAccountSid, 
            268435456, #full control all operations 
            [System.Security.AccessControl.InheritanceFlags]::None, 
            [System.Security.AccessControl.PropagationFlags]::None) | Out-Null 


        return $SecurityDescriptor.GetSddlForm("All") 
    } 
    catch [Exception]  
    { 
        Write-Error -Message "Failed To Generate SDDL (review inner exception):`n $_.Message" ` 
            -Exception $_.Exception 
    } 
} # end PROCESS 

END { Write-Verbose "Function ${CmdletName} finished." } 
} #end Function Add-LHSPrinterPermissionSDDL

source

Additional Resources

Pimp Juice IT

Posted 2017-01-19T13:26:16.067

Reputation: 29 425

Asked: 2017-01-19T13:26:16.067

Viewed: 2 994 times

Active: 2017-01-19T13:41:29.143