locked
How to set "Manage Document" rights by set-printer cmdlet when every other permission is set correctly? RRS feed

  • Question

  • Hi,

    because Microsoft released their new cmdlets I thought it is an easy task to apply some permissions to remot printer. It if fairly simple, as long as you want to set print permissions, manage printer, or full access. The point where I have a problem is to set permissions for "manage documents". There are a bunch of scripts out there, where you can read printer permissions with "get-printer xxxx -full" and change SDDL by adding some allow rules, but every time I get to the point to apply the "manage documents" permissions, I won't be able to do that.

    Here is a sample Script for that:

    #Get Printer & settings
    $printer = get-printer -Name "test" -ComputerName "remote" -full 
    $groupName = "ad\testgroup"
    $permission = 983088
    
    # Create SDDL
    $SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, $printer.permissionsSDDL
    
    # Get Group
    $NTAccount = New-Object Security.Principal.NTAccount $groupName
    
    #Get GroupSID
    $NTAccountSid = $NTAccount.Translate([Security.Principal.SecurityIdentifier]).Value
    
    # ADD Permission
    $SecurityDescriptor.DiscretionaryAcl.AddAccess("Allow",$NTAccountSid,$permission,"none","none")
    
    # SDDL
    $remotePrinterSDDL = $SecurityDescriptor.GetSddlForm("all")
    
    #Set Permissions
    $printer = get-printer -Name "test" -ComputerName "remote" | Set-Printer -Name "test" -ComputerName "remote" -PermissionSDDL $remotePrinterSDDL -verbose


    This Script won't apply the "Manage Documents" permission but instead "read rights", "change rights" and "take ownership" for the "Manage Documents" groups (stripped the script for this posting to apply only Manage Document rights). Every other permission like "full access", "manage printer" and "print" are applied correctly.

    There is another script you can find where everything for printpermissions is done by creating securitydescriptors, ace rules and trustees from wmi and apply everything. There is one "if" line for the "manage documents" permission:

    if ($masks.$AccessMask -eq 983088) {$AddInfo.AceFlags = 9}

    After some research I found out that this sets some inheritance information. When I read and extract the permission from a printer after I set everything correctly, I get this:

    Computer   : xxx
    Name       : test
    AccessMask : 983052
    AceFlags   : 0
    AceType    : 0
    User       : testgroup
    Domain     : AD
    SID        : S-1-5-21-1727233309-1633456537-1369255568-1134
    
    Computer   : xxx
    Name       : test
    AccessMask : 983088
    AceFlags   : 9
    AceType    : 0
    User       : testgroup
    Domain     : AD
    SID        : S-1-5-21-1727233309-1633456537-1369255568-1134


    As you can see the correct permission with AccessMask 983088 has an AceFlag. After reading the SDDL Permission from the printer I can see this:

    ...
    (A;;LCSWSDRCWDWO;;;S-1-5-21-1727233309-1633456537-1369255568-1134)
    (A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1727233309-1633456537-1369255568-1134)
    ...

    The AceFlags change among other thing the inheritance for this permission. OI => ObjectInherit, IO => InheritOnly - Both could be set by Inheritance and Propagation flag at the addaccess() function, but that doesn't work and instead throws an exception.

    As in my first script, I'm able to apply some permissions, but everything without AceFlags. I tried to find out more about the function "DiscretionaryAcl.AddAccess" and found more parameter here: https://msdn.microsoft.com/en-us/library/3x74k92h(v=vs.110).aspx

    There is a parameter called AceFlag, with the following description: Flags that specify if the objectType and inheritedObjectType parameters contain non-null values.

    If I call AddAccess without objectType and inheritedObjectType I get an exception - can't find function with 6 parameter overloading. The same, when I $null both last parameters. If I generate some random GUID for this, I get an error, that this can only be set when the permission is applied to folder (filesystem) and not to printer.

    Looks like someone created the plausibilitycheck for DiscretionaryAcl.AddAccess didn't take printerpermissions into account. Maybe someone else got this problem and get me a hint how to run this with the above function.

    I can do it with the "old" way, create ace objects, sd and trustees, but I wanted to use the new way, which is more readable to someone who isn't knee-deep into coding.

    Kind Regards

    Marco

    Monday, July 31, 2017 9:44 AM

All replies

  • Hi,

    I have a suggestion:Using the applied “document management” permission users’ permission, then applying to others, code could be like this:

    $security = get-printer "printer with changes" -full

    get-printer * | Foreach-Object {set-printer $_.name -PermissionSDDL $security.PermissionSDDL}

    Refer to link below: https://blogs.technet.microsoft.com/heyscriptingguy/2014/08/10/weekend-scripter-add-security-groups-to-print-servers-by-using-powershell/

    Besides, where did you get these scripts? 

    I suppose you could ask on the author’s site.

    Best Regards, 

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 1, 2017 6:03 AM
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 11, 2017 4:20 AM
  • Got the same Problem

    You found any solution besite hacking a sddl together?


    Its the ghost in the machine how dont let me go in vacation :-)

    Wednesday, July 25, 2018 3:12 PM