Every Windows printer has a discretionary access control list (ACL). The ACL contains one or more access control entries (ACEs). Each ACE defines a specific permission for some specific group or user. You could define a group (such as SalesAdmins
) and give that group the permission to manage documents, while you give another group (Sales
) access to print to the printer.
By default, when you create a printer, Windows adds some ACEs to the printer's ACL. This includes giving the Everyone
group the permission to print to the printer. For some printers, this may not be appropriate. For this reason, you may need to adjust the ACL, as shown in this recipe.
The PrintManagement
module contains a number of cmdlets that help you manage the printers; there are no cmdlets for managing ACLs on printers. You can always use .NET directly to manage the ACL, or you can use a third-party script that does the job for you. But the code for that is complex (and easy to mess up). For simplicity in this case, you're going to download and use a script, Set-PrintPermissions.ps1
, available on TechNet.
The SetPrintPermissions.ps1
script enables you to grant or deny printer permissions to AD users or groups. In this recipe, you use this script to remove the permission for members of the everyone group, then enable print, document, and print management to members of a different group. The script uses permission names that are familiar to IT pros, making this script easy to adapt.
A downside to this script is that there's no feature in the script to display the permissions on a printer object. You can always use .NET security classes to delve into the permissions, or (as you do in this recipe) just use the GUI to verify the actual permissions.
During the development of Windows Server 2019, printers that are created with the recipes in this chapter have some interesting ACEs set. One ACE is set with an SID that relates to the SID that belongs to 'defaultuser0'
. To avoid confusion, the graphics in the How it works… section don't show these ACEs.
This recipe uses AD accounts to set permissions based on the Create-SalesGroup.ps1
script . You need the PSRV
print server and the DC1
domain controller. To test the permissions, you can use CL1
.
Set-PrinterPermissions.ps1
script:$URL = 'https://gallery.technet.microsoft.com/scriptcenter/' + 'Modify-Printer-Permissions-149ae172/file/116651/1/' + 'Set-PrinterPermissions.ps1' $Target = 'C:FooSet-PrinterPermissions.ps1' Start-BitsTransfer -Source $URL -Destination $Target
Get-Help $Target
PrintUI.DLL
to bring up the printer properties GUI:rundll32.exe printui.dll,PrintUIEntry /p /nSalesprinter1
Everyone
ACE from the ACL for SalesPrinter1
:$SPHT1 = @{ ServerName = 'PSRV' Remove = $True AccountName = 'EVERYONE' SinglePrinterName = 'SalesPrinter1' } C:fooSet-PrinterPermissions.ps1 @SPHT1
Sales
group to print to this printer:$SPHT2 = @{ ServerName = 'PSRV' AccountName = 'ReskitSales' AccessMask = 'Print' SinglePrinterName = 'SalesPrinter1' } C:fooSet-PrinterPermissions.ps1 @SPHT2
SalesAdmins
permission to manage the documents:$SPHT3 = @{ ServerName = 'PSRV' AccountName = 'ReskitSalesAdmins' AccessMask = 'ManageDocuments' SinglePrinterName = 'SalesPrinter1' } C:fooSet-PrinterPermissions.ps1 @SPHT3
rundll32.exe printui.dll,PrintUIEntry /p /nSalesprinter1
In step 1, you used the BITS service to download the Set-PrinterPermissions
script. This step generates no output.
The Set-PrinterPermissions
script has comment-based help, which provides usage assistance. In step 2, you used Get-Help
to view the basic help information, which looks like this:
In step 3, you used PrintUI.DLL
to bring up the properties of the Salesprinter1
printer. In step 4, you viewed the initial ACL for the printer, which looks like this:
In step 5, you used the Set-Printerpermissions
script to remove the default ACE, allowing everyone to print to the printer. In step 6, you enabled the members of the sales group to print to the printer, and in step 7, you enabled the members of the sales admins group to manage the printer. These steps produced no output to the console.
In step 8, you printed the printer UI to view the updated ACL, which looks like this:
If you click on Sales, you can see their permissions, like this:
In step 1, you used the BITS service to download the Set-PrinterPermissions
script using the URL of the script. Alternatively, you could have used your search engine and downloaded it directly. The script isn't available on PowerShell Gallery.
In step 3 and step 8, you used PrintUI.DLL
to display a print-management GUI from which you can view the updated ACL for this printer. As you can see, the members of the Sales
group are able to print, and members of the SalesAdmins group can manage the printer.