Hi,
because Microsoft released their new cmdlets I thought it is an easy task to apply some permissions to remot printer. It if fairly simple, as long as you want to set print permissions, manage printer, or full access. The point where I have a problem is to
set permissions for "manage documents". There are a bunch of scripts out there, where you can read printer permissions with "get-printer xxxx -full" and change SDDL by adding some allow rules, but every time I get to the point to apply
the "manage documents" permissions, I won't be able to do that.
Here is a sample Script for that:
#Get Printer & settings
$printer = get-printer -Name "test" -ComputerName "remote" -full
$groupName = "ad\testgroup"
$permission = 983088
# Create SDDL
$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, $printer.permissionsSDDL
# Get Group
$NTAccount = New-Object Security.Principal.NTAccount $groupName
#Get GroupSID
$NTAccountSid = $NTAccount.Translate([Security.Principal.SecurityIdentifier]).Value
# ADD Permission
$SecurityDescriptor.DiscretionaryAcl.AddAccess("Allow",$NTAccountSid,$permission,"none","none")
# SDDL
$remotePrinterSDDL = $SecurityDescriptor.GetSddlForm("all")
#Set Permissions
$printer = get-printer -Name "test" -ComputerName "remote" | Set-Printer -Name "test" -ComputerName "remote" -PermissionSDDL $remotePrinterSDDL -verbose
This Script won't apply the "Manage Documents" permission but instead "read rights", "change rights" and "take ownership" for the "Manage Documents" groups (stripped the script for this posting to apply only
Manage Document rights). Every other permission like "full access", "manage printer" and "print" are applied correctly.
There is another script you can find where everything for printpermissions is done by creating securitydescriptors, ace rules and trustees from wmi and apply everything. There is one "if" line for the "manage documents" permission:
if ($masks.$AccessMask -eq 983088) {$AddInfo.AceFlags = 9}
After some research I found out that this sets some inheritance information. When I read and extract the permission from a printer after I set everything correctly, I get this:
Computer : xxx
Name : test
AccessMask : 983052
AceFlags : 0
AceType : 0
User : testgroup
Domain : AD
SID : S-1-5-21-1727233309-1633456537-1369255568-1134
Computer : xxx
Name : test
AccessMask : 983088
AceFlags : 9
AceType : 0
User : testgroup
Domain : AD
SID : S-1-5-21-1727233309-1633456537-1369255568-1134
As you can see the correct permission with AccessMask 983088 has an AceFlag. After reading the SDDL Permission from the printer I can see this:
...
(A;;LCSWSDRCWDWO;;;S-1-5-21-1727233309-1633456537-1369255568-1134)
(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1727233309-1633456537-1369255568-1134)
...
The AceFlags change among other thing the inheritance for this permission. OI => ObjectInherit, IO => InheritOnly - Both could be set by Inheritance and Propagation flag at the addaccess() function, but that doesn't work and instead throws an exception.
As in my first script, I'm able to apply some permissions, but everything without AceFlags. I tried to find out more about the function "DiscretionaryAcl.AddAccess" and found more parameter here: https://msdn.microsoft.com/en-us/library/3x74k92h(v=vs.110).aspx
There is a parameter called AceFlag, with the following description: Flags that specify if the
objectType and inheritedObjectType parameters contain non-null values.
If I call AddAccess without objectType and inheritedObjectType I get an exception - can't find function with 6 parameter overloading. The same, when I $null both last parameters. If I generate some random GUID for this, I get an error, that this can only
be set when the permission is applied to folder (filesystem) and not to printer.
Looks like someone created the plausibilitycheck for DiscretionaryAcl.AddAccess didn't take printerpermissions into account. Maybe someone else got this problem and get me a hint how to run this with the above function.
I can do it with the "old" way, create ace objects, sd and trustees, but I wanted to use the new way, which is more readable to someone who isn't knee-deep into coding.
Kind Regards
Marco
