Server 2008 R2 - Apply New permissions to all printers on server
Solution 1
I came across this question realizing I never posted what I did, ultimately I figured out a way to use SUBINACL.exe (needs to be in a path directory like System32)
and passed it through a powershell loop of all the printers
here's the code, run it from the PS Console as Administrator on the Print Server
$Logpath = "c:\temp\logs"
Stop-Transcript -ErrorAction "SilentlyContinue"
Start-Transcript $Logpath -Append
$PRINTERS = (Get-WmiObject Win32_Printer)
foreach($PRINTER in $PRINTERS)
{$Server = $PRINTER.SystemName
$PrinterName = $PRINTER.name
Write-Host \\$Server\$PrinterName
Invoke-Command -AllowRedirection {subinacl.exe /printer \\$Server\$PrinterName /Grant=domain\username=F}
}
Stop-Transcript
I don't work there anymore but I hope someone benefits from finding this.
Solution 2
I recognize this is not a method by which to apply security permissions to all printers, but it may solve your problem.
The default permissions on a printer usually seems to include manage permissions assigned to the domain group "Print Operators". Consider adding your helpdesk group to "Print Operators".
Also, there appears to be a global set of permissions that may allow for setting to be applied to all printers found under Print Server Properties which can be accesssed by right clicking the Print Server's name in printmanagement.msc
.
Note: I have not used the Print Server Properties acl before, so I cannot say if it works the way you want.
Related videos on Youtube
Matt Hamende
Updated on September 18, 2022Comments
-
Matt Hamende almost 2 years
We setup a new 64bit Print Server (Server 2008 R2) and on our previous print server we had the helpdesk as a member of the power users group, and gave them "Manager Printers" so they could change printer ports when printers went down.
it looks like there was an oversight and it wasn't added when we setup the new server.
I've added them to power users, and went into Print Server Properties in "PRINTMANAGEMENT.MSC" and granted the permissions, but it seems like this is only going to apply to new printers as it doesn't appear to be inheriting to any existing printers.
anyway to get these permissions to propogate to the existing printers?
these are setup as local printers, bound to Standard TCP / IP ports.
-
Zoredache over 11 yearsThe SetACL.exe can set permissions on printers. I suspect there is some easy way to do it with Powershell as well. You just need to get a list, and script fixing the ACL on each.
-
-
Castaglia about 8 yearsThis does not appear to be an answer to the OP's question; what command are you trying to provide?
-
Mike about 8 yearsNot sure what you mean, I ran the script above with the domain\group name I wanted and that was the resulting error. 2008R2 server. I'm relatively new at Powershell so trying to work out what I missed here.
-
Mike about 8 yearsYes, I downloaded/installed the latest version of subinacl from MS to system32, run the script from the same folder, in PS as admin. I get the same error message for each printer, "Cannot evaluate parameter 'ConnectionUri' because its argument is specified as a script block and there is no input."
-
Matt Hamende over 5 yearsThat's awesome I don't even do IT anymore, pretty much software and devops, still really cool that it helped.