Delegating Rights to Help Desk Users

[Guest]

I need to add a group to all printers with the "Manage Documents" Permission's.

I have found a document from the Windows Printing Team with the following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer or all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."

 

[Alan Morris [MSFT]]

I still hang out here. Are you performing this local or to a remote server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.

I still hang out here. Are you performing this local or to a remote server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."

 

[Alan Morris [MSFT]]

Make sure you move the " " when getting the example and setting the next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3

pSecurityDescriptor="O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer
or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."

 

[Guest]

I managed to get it working following your example (which is what I had been
doing) but with one difference.

I was doing what all good admins do "runas" with elevated privileges.
Once I logged on with the admin account it worked.

Moral of the story "not everything works from the command prompt using runas"
Thank you very much for you help

Make sure you move the " " when getting the example and setting the next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3

pSecurityDescriptor="O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

message I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer
or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."

 

[Guest]

I've run into another issue.
It looks like I have to repeate this step on every print server because of
the unique SID's in the security descriptor. I really need to automate this
at the time of the printer installs.

I'm using prnport.vbs,prnmgr.vbs & prncnfg.vbs to automate the install from
a csv file.

Is there another way that you know of to do this ?
I can use setACL.exe but that means I have to make the file available on
every server.

I managed to get it working following your example (which is what I had been
doing) but with one difference.

I was doing what all good admins do "runas" with elevated privileges.
Once I logged on with the admin account it worked.

Moral of the story "not everything works from the command prompt using runas"
Thank you very much for you help

Make sure you move the " " when getting the example and setting the next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3

pSecurityDescriptor="O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.


:

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

message I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer
or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."

 

[Alan Morris [MSFT]]

We can set this up as a service so any newly added printers get the proper
security info.

contact me directly.

(e-mail address removed)

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

I've run into another issue.
It looks like I have to repeate this step on every print server because of
the unique SID's in the security descriptor. I really need to automate
this
at the time of the printer installs.

I'm using prnport.vbs,prnmgr.vbs & prncnfg.vbs to automate the install
from
a csv file.

Is there another way that you know of to do this ?
I can use setACL.exe but that means I have to make the file available on
every server.

I managed to get it working following your example (which is what I had
been
doing) but with one difference.

I was doing what all good admins do "runas" with elevated privileges.
Once I logged on with the admin account it worked.

Moral of the story "not everything works from the command prompt using
runas"
Thank you very much for you help

Make sure you move the " " when getting the example and setting the
next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be
set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in
MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require
the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3


pSecurityDescriptor="O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on
test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAGUDA;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

message Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.


:

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

in
message I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource
kit
level 3
set a printer with the security you want. View the security for
that
printer, then apply the same security descriptor for a single
printer
or
all
the printers on a system. This will work locally or targeting a
remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this
object."