locked
Logon Script Powershell -Printing RRS feed

  • Question

  • Hello,

    I our school district, we have the staff which works in more than one schools. Since that staff can be only in the OU of one of the schools, so that staff is pulling the printers for that school only. The printers are deployed using GP. 

    In order to handle it, what I have done is that: 

    I have written the powershell script which will take in csv file with names of all the staff who works at more than one school and the names of the schools they work at. The powershell script will run as logon script and since it runs the users pull the respective printers from all the schools they work at.

    The problem is that some of the printers not everyone can print to. They are network printers but only admin staff is allowed to print not the teachers. But when the logon script runs it tries to add those printers too and hence it cant connect and user see that prompt box of "Connecting to the Printer". 

    I was wondering if I could perform a check before adding the printers that if security permission are set to "everyone" can print then only add that printer. But I can't find a way to find out that. I was thinking of reading the security permission on the printers and then adding it.

    Can anyone help?

    Thanks, 
    Aman

    Thursday, October 11, 2018 7:35 PM

All replies

  • Just create groups for the staff and create a GPO for the group that contains the correct printers.

    This is a GPO issue and should be posted in the GP forum.

    A script will not let non-admins read the security.


    \_(ツ)_/

    Thursday, October 11, 2018 7:46 PM
  • Can you map the printers by computer name?


    • Edited by JS2010 Thursday, October 11, 2018 8:37 PM
    Thursday, October 11, 2018 8:37 PM
  • I will be reading the security permissions on the printers as a admin. Can I get the security in readable format.

    Thursday, October 11, 2018 10:10 PM
  • How are you reading them?


    \_(ツ)_/

    Thursday, October 11, 2018 10:11 PM
  • No actually, because we want that users can logon on any machine and still get the printers of all the schools they work for.
    Thursday, October 11, 2018 10:11 PM
  • So, in the script ...I have script block (provide the administrator credentials)which will connect to the server where our AD and Print management is and I can perform actions.

    Below is sample how I am trying to do it

    foreach($p in $listofPrinter)
    {
    $Sids=(Get-Printer $P.Name -Full).PermissionSDDL
    Write-host $Sids

    }

    It responds me as below:

    G:SYD:(A;;LCSWSDRCWDWO;;;S-1-5-21-1993962763-1957994488-839522115-62727)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1993962763-1957994488-839522115-62727)(A;OIIO;GA;;;CO)(A;OIIO;GA;;;AC)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;SWRC;;;AC)(A;CIIO;GX;;;AC)(A;;LCSWDTSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWDTSDRCWDWO;;;PO)(A;OICIIO;GA;;;PO)(A;;LCSWDTSDRCWDWO;;;SO)(A;OICIIO;GA;;;SO)

    I think so I have to convert it into readable format so that I can apply condition on it (i.e. if("Everyone can print"))

    Thank you,

    Aman

    Thursday, October 11, 2018 10:20 PM
  • convertfrom-sddlstring


    \_(ツ)_/

    Thursday, October 11, 2018 10:23 PM
  • $Sids=ConvertFrom-SddlString -Sddl ((Get-Printer $P.Name -Full).PermissionSDDL) gives me following error

    The term 'ConvertFrom-SddlString' is not recognized as the name of a cmdlet 

    Cant find anything about it.

    Thanks, 
    Aman 

    Thursday, October 11, 2018 10:31 PM