Home / server / Questions / 450995
Accepted
Matt Hamende
Asked: 2012-11-22 11:36:05 +0800 CST

Server 2008 R2 - Apply New permissions to all printers on server

  • 772

We setup a new 64bit Print Server (Server 2008 R2) and on our previous print server we had the helpdesk as a member of the power users group, and gave them "Manager Printers" so they could change printer ports when printers went down.

it looks like there was an oversight and it wasn't added when we setup the new server.

I've added them to power users, and went into Print Server Properties in "PRINTMANAGEMENT.MSC" and granted the permissions, but it seems like this is only going to apply to new printers as it doesn't appear to be inheriting to any existing printers.

anyway to get these permissions to propogate to the existing printers?

these are setup as local printers, bound to Standard TCP / IP ports.

windows-server-2008

4 Answers

  1. Best Answer

    I came across this question realizing I never posted what I did, ultimately I figured out a way to use SUBINACL.exe (needs to be in a path directory like System32)

    and passed it through a powershell loop of all the printers

    here's the code, run it from the PS Console as Administrator on the Print Server

    $Logpath = "c:\temp\logs"


Stop-Transcript -ErrorAction "SilentlyContinue"
Start-Transcript $Logpath -Append

$PRINTERS = (Get-WmiObject Win32_Printer)

foreach($PRINTER in $PRINTERS)
{$Server = $PRINTER.SystemName
 $PrinterName = $PRINTER.name
Write-Host \\$Server\$PrinterName 
Invoke-Command -AllowRedirection {subinacl.exe /printer \\$Server\$PrinterName /Grant=domain\username=F}
}
Stop-Transcript

    I don't work there anymore but I hope someone benefits from finding this.

    • 3

  2. I recognize this is not a method by which to apply security permissions to all printers, but it may solve your problem.

    The default permissions on a printer usually seems to include manage permissions assigned to the domain group "Print Operators". Consider adding your helpdesk group to "Print Operators".

    Also, there appears to be a global set of permissions that may allow for setting to be applied to all printers found under Print Server Properties which can be accesssed by right clicking the Print Server's name in printmanagement.msc.

    Note: I have not used the Print Server Properties acl before, so I cannot say if it works the way you want.

    • 1

  3. When I run this it appears to be pulling the server name and printer names but is erroring on running the command --

    \[print server name][printer name] Invoke-Command : Cannot evaluate parameter 'ConnectionUri' because its argument is specified as a script block and ther e is no input. A script block cannot be evaluated without input. At C:\ntutils\utils\Subinacl7.ps1:13 char:15 + Invoke-Command <<<< -AllowRedirection {c:\ntutils\utils\subinacl.exe /printer http://$Server/$PrinterName /Grant=ter minalserver\ManagePrintQueues=M} + CategoryInfo : MetadataError: (:) [Invoke-Command], ParameterBindingException + FullyQualifiedErrorId : ScriptBlockArgumentNoInput,Microsoft.PowerShell.Commands.InvokeCommandCommand

    • 0

  4. This one bugged me for a while and with the help of this thread I got to where I needed. as Mike pointed out the script gave me errors, I tried modifying it but nothing. Finally I used good'ol CMD directly.

    First, I got my list of printers.

    Get-WmiObject Win32_Printer | Select-Object -Property Name

    Second, I pasted the results to excel along with the command.

    See Image of Excel Layout

    Third, I copied that into Notepad++ and cleaned up the spaces.

    Finally, Pasted into CMD and ran it.

    Seems like a lot but took me all of 10 minutes. Sorry is not clean! Hope it helps!

    • 0