Permissions Question

[Guest]

We are presently moving over to a 2 node print server cluster. We would like
to adjust the permissions on each of our printers. Currently we have our full
IS dept set as 'Power Users' on each of our print servers, this gives them
the default ability to 'manage printers'. We would like to restrict this
permission to only allow the permission to be 'manage documents'. Is there a
way, perhaps through Group Policy', to automatically place a 'non-default'
group into each printers security settings? We have approximately 900
printers, so you can see we do not want to do this manually. Thanks for any
help. If more information is needed, pls ask.

 

[Alan Morris [MSFT]]

The resource kit has a tool setprinter.exe where you can set all the
security descriptors the same for all printers. Basically you need to
configure one printer with the UI with the changes, then read the
descriptor, then set all the printers the same.

config "PrinterName" with UI
To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details)
:
*** WARNING: this could make the print queue inaccessible and require the
use of a registry editor to fix ***

SetPrinter \\servername 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD
)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;
PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"

here's the resource kit.
http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en



--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Very Cool..... thanks Alan. We'll put together a script to test, update the
results here later.
Thx again!

The resource kit has a tool setprinter.exe where you can set all the
security descriptors the same for all printers. Basically you need to
configure one printer with the UI with the changes, then read the
descriptor, then set all the printers the same.

config "PrinterName" with UI
To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details)
:
*** WARNING: this could make the print queue inaccessible and require the
use of a registry editor to fix ***

SetPrinter \\servername 3
"pSecurityDescriptor=O:BAGUDA;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD
)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;
PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"

here's the resource kit.
http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en



--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

We are presently moving over to a 2 node print server cluster. We would
like
to adjust the permissions on each of our printers. Currently we have our
full
IS dept set as 'Power Users' on each of our print servers, this gives them
the default ability to 'manage printers'. We would like to restrict this
permission to only allow the permission to be 'manage documents'. Is there
a
way, perhaps through Group Policy', to automatically place a 'non-default'
group into each printers security settings? We have approximately 900
printers, so you can see we do not want to do this manually. Thanks for
any
help. If more information is needed, pls ask.