Hi All,

I've seen posts on how to set the security on print queues, and I can do this today, but not on the print server itself.  Manually, I can open Print Management, right click on the print server name, select properties, click on the security tab, and then add a group/user and set permissions.  I want to be able to do this via script because there are approximately 120 sites this needs to be completed for.  Most servers are 2008 R2, but there are some 2003 servers as well.  Is there any way to do this via PowerShell?  I'm assuming there is some .NET way of doing it that just hasn't been turned into a cmdlet yet. But, I haven't seen any posts.  I don't really care if I need something external like SubInACL, or the Printing Adming Scripts like prnmngr.vbs, etc.  Just so long as it can be done via a script.  Does anyone know of a way to accomplish this?

Regards

I don't know about 2008 as i'm aware of what you mentioned regarding the security tab in Print Management.... but 2003 Print Servers do not use or even have the security tab there, even when using the 2008 Print Management console.    2003 is just a matter of adding the right group into the local Print Operators group on the server.

I'll keep digging to see about 2008, but 2003 is a different animal.   And I do say Print Operators... as that's by default.  That, and Administrators, in your local group policy on a new print server installation.  If you've changed that in the gpedit.msc then it'd be whatever groups are listed in there.

It does not appear there is a scriptable method for doing those permissions on 2008.    There is a SecurityDescriptor in the registry that gets updated when adding or removing a group/user from those permissions, and maybe that is how it could be done.  Decrypting the security descriptor, adding what you need to it and writing it back, but that is well beyond me.

I used Process Monitor to show me the registry changes immediately when I made a change.   Likely the only way to go until Server 2012.

Thanks for doing research on this Brian.

Hi,

I realise this is an old post! However, it is very valid for what I am trying to do on my windows 2008 R2 print server.

you can use the latest SETPRINTERx64.exe \\Servername\ 3 which produce this kind of pSecurityDescriptor.You have to have the "\" at the end of the Servername, ortherwise, it will treat it as a print queue instead.

  pSecurityDescriptor="O:BAG:BAD:(A;CIIO;SWRC;;;WD)(A;;DCRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;OICIIO;LCSWRPWPS
DRCWDWO;;;BA)(A;;CCDCSDRCWDWO;;;BA)"

I confirm it when you add a user or a group and assign the printing permission, the above command line will produce the different result of pSecurityDescriptor which will show the SID of the group or userID that you are added.

C:\Temp>setPrinterx64.exe \\Servername\ 3 pSecurityDescriptor="O:BAG:BAD:(A;;DCRC;;;WD)(A;CIIO;SWRC;;;WD)(A;
IIO;RPWPSDRCWDWO;;;CO)(A;;CCDCSDRCWDWO;;;BA)(A;OICIIO;LCSWRPWPSDRCWDWO;;;BA)(A;CIIO;LCSWSDRCWDWO;;;S-1-5-21-2
xxxxxx)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-278647389xxxxxxxx(A;;CCDCSDRCWDWO;;;S-1-5-21-27xxxxxxx2)"

The question is does anyone know to apply that on a different server?  I read that you can run Setprinter \\servername 3 pSecurityDescriptor="the output similar above" but that can only apply to the printing queue but not to the server

thanks heaps

Check out this module. After importing it, check to see if the following command gives you the same SDDL that setPrinter64.exe was giving you:

Get-SecurityDescriptor -Path \\servername -ObjectType Printer | select -ExpandProperty Sddl

If that matches, you might be in luck. Things are going to get a little wierd, though, since this wasn't a use case I envisioned for the module. The Set-SecurityDescriptor function doesn't take an -ObjectType parameter (yet), which means you can't call it the same way you called Get-SecurityDescriptor. That's on my list of things to do for the next version, though. In the meantime, you should be able to do something like this as a workaround (and to any future readers, if the module is past version 2.1, the following workaround shouldn't be necessary anymore; see the help for ways to copy SDs from one object to another):

$Sd = Get-SecurityDescriptor -Path \\servername -ObjectType Printer
$Sd.SdPath = "\\otherservername"
$Sd | Set-SecurityDescriptor -WhatIf

Set-SecurityDescriptor will inspect the object being passed to it and use the path and object type from there. You shouldn't have to manually modify the SdPath property, but in this case it lets you get around the fact that we can't force Set-Security to use a certain path and object type. If you take the -WhatIf parameter off, you'll be prompted before making any changes. To suppress that prompt, you'll need to use the -Force switch.

One more thing: if you try to view or modify the security descriptor ACLs, a lot of the access masks are going to be numeric. That's due to the fact that the printer rights enumeration was created without server rights included. That's something else that I'll fix in a future release. You can still add and remove entries with the module, but you might have to use numeric rights. Let me know if I'm rambling and not making any sense :)

If you end up using this, obviously you'll want to make sure you've manually stepped through this on a few systems and confirmed (maybe using the GUI or SetPrinter64.exe) that the SD was copied properly before trying to automate it.

If you have any questions or problems, please let me know.

TNAus,

Where can I download the latest SetPrinterx64.exe tool? When I go to this site https://www.microsoft.com/en-us/download/details.aspx?id=17657 and download the resource kit from here, the command you have provided does not work. It just tells me there is an invalid printer name, likely because it can't look at the server. Where do I get the latest download that you say I can point directly at the server?

Thanks in advance,

http://blogs.technet.com/b/heyscriptingguy/archive/2014/08/10/weekend-scripter-add-security-groups-to-print-servers-by-using-powershell.aspx

https://gallery.technet.microsoft.com/scriptcenter/Add-Printer-Permission-c0ece1f3

Jrv,

Neither of those links are helpful in any way. I am looking for the version of the setprinter tool that TNAus mentions because the notes that he is capable of looking directly at the server's security descriptor, whereas mine only complains when I try to run the same command. I want to be able to look and modify the server's security descriptor; I do not care about the individual print queues,

Thanks,

Sorry but that will not work as expected.  Each  handles it's own security.  Each  is a separate printer.  There is no global setting.

What do you mean each handles its own security? I can go in and manually add groups with certain permissions into the security tab for the properties of a server. Is there really no scriptable method that would allow me to do this using a PowerShell or other like command? How could they not have a modifiable security descriptor, if modifying user/group permissions is exactly what I can do manually?

If you read TNUas's post, it seems as though (s)he was able to use the setpritner.exe tool to at the very least see the security descriptor of the print server. When I try to run the version of the tool I have donwloaded, however, I can't even get that far. I have noticed on several other posts people having the "lastest" or "updated" version of the tool being sent to them via email by either someone who had it or from a Microsoft support employee. I would really like to know what that is all about and if perhaps that has something to do with my issue. I would even be satisfied to find a different way to possibly solve this problem.

However, if it really can't work, why not? What is so different from print queues to print servers that I cannot write a script to walk through all my servers and change their security descriptors like I am capable of doing with my print queues?

https://social.technet.microsoft.com/Forums/en-US/cea2dd34-bd5a-436c-9eed-4de424b412b7/gpo-for-print-server-security-settings?forum=winserverprint

Also, if you read through this post, Alan Morris seems to think the setprinter command can accomplish exactly what it is I am asking for, though I have yet to receive a reply fro

What is it you are calling a server?  The Print spooler is the only service.  Are you talking about a view in Print Manager Console?

A print server is a machine running the print spooler service.  A queue is a logical device that controls access and configuration of an attached print device.  We configure users on Q's and not on servers or devices.  Users print to Q's.

If you are referring to PrintManager then each server has a set of groups defined for the three major access paths.  This controls the default access to the printer objects (Queues),  You can assign users via standard AD group management CmdLets.  Youcan also use the PrintManagement API to adjust security.

Note that the "server" security settings only affect new print queues and will not change existing Q security. It also controls the users default access to the server and printer objects.  It can be more restrictive than the printer or less.