Latest posts by Brandon Lee (see all)
- Devolutions Password Hub: Password manager for Windows, macOS, Linux, Android, and iOS - Tue, Jan 21 2020
- Windows Server 2019 Nano Server role - Wed, Jan 15 2020
- Roll back and downgrade VMware ESXi version - Mon, Jan 6 2020
Many aspects of infrastructure must be managed by the IT admin. Printers are one of the devices in today’s networks that are simple in function but often complicated to manage and maintain. However, with PowerShell, many of the more complicated tasks that have been performed manually by admins can be automated.
One aspect of configuring and maintaining printers is security. Printer security must be configured so that only authorized users can print, manage, or administer printers on the network. Setting up permissions can be very tedious to configure manually. However, by using PowerShell to alter the Windows permissions assigned to printers, securing printer permissions can easily be automated. Let’s look at how to manage printer security with PowerShell.
Methodology for assigning printer permissions ^
Like folders, files, and other shared objects on the network, printers have both Access Control Lists (ACLs) and Access Control Entries (ACEs). The Access Control List houses the Access Control Entries. In the world of Microsoft Windows server groups and best practices, Microsoft recommends placing users in groups and nesting these groups in a certain manner. A familiar acronym describing this method of assigning permissions in the very common Windows Server domain is AGDLP, which helps you to remember that objects are nested in the following order:
- Global Groups
- Domain Local Groups
This same methodology applies to assigning permissions to printers. Users and computer accounts are placed inside Global Groups, and Global Groups are then placed inside of the Domain Local Groups that are assigned permissions.
Using this methodology, you can easily implement effective (RBAC) for your organization. Based on a certain role, a user, group, or other object gets a certain set of permissions. Much like files and folders, printers are a resource on the network that are assigned permissions. Users and groups often get printer permissions based on their roles in the organization.
By default, when you create a printer, Windows—as it does in the case of all objects—assigns a certain set of default permissions that allow users to connect to the printer and perform the basic functions. The default permissions assigned include adding the Everyone group to the ACEs of the printer so that all users can print to the printer.
However, for many different reasons, certain printers may need to be restricted from allowing anyone who has a network login to print to a specific printer; for example, in order to restrict who can print to certain department printers. In many environments, printers are often located in specific locations for the use of certain departments. For purposes of billing individual departments for printer resources such as the cost of consumables, it may be necessary to restrict printing permissions to only those departments for which the printer is configured.
Let’s see how we can use PowerShell to control permissions for printers in order to both add and remove permissions as needed in a Windows environment.
Manage printer security with PowerShell ^
It seems as if there are PowerShell modules and cmdlets to control, manage, or configure just about any aspect of the Windows Server infrastructure. Printers are no exception. There is an official PowerShell module for interacting with Windows printers.
The PrintManagement module allows interacting with printers and the performance of many handy tasks when it comes to managing printers. The PrintManagement module includes the
|Add-Printer||Adds a printer to the specified computer.|
|Add-PrinterDriver||Installs a printer driver on the specified computer.|
|Add-PrinterPort||Installs a printer port on the specified computer.|
|Get-PrintConfiguration||Gets the configuration information of a printer.|
|Get-PrintJob||Retrieves a list of print jobs in the specified printer.|
|Get-Printer||Retrieves a list of printers installed on a computer.|
|Get-PrinterDriver||Retrieves the list of printer drivers installed on the specified computer.|
|Get-PrinterPort||Retrieves a list of printer ports installed on the specified computer.|
|Get-PrinterProperty||Retrieves printer properties for the specified printer.|
|Read-PrinterNfcTag||Reads information about printers from an NFC tag.|
|Remove-PrintJob||Removes a print job on the specified printer.|
|Remove-Printer||Removes a printer from the specified computer.|
|Remove-PrinterDriver||Deletes printer driver from the specified computer.|
|Remove-PrinterPort||Removes the specified printer port from the specified computer.|
|Rename-Printer||Renames the specified printer.|
|Restart-PrintJob||Restarts a print job on the specified printer.|
|Resume-PrintJob||Resumes a suspended print job.|
|Set-PrintConfiguration||Sets the configuration information for the specified printer.|
|Set-Printer||Updates the configuration of an existing printer.|
|Set-PrinterProperty||Modifies the printer properties for the specified printer.|
|Suspend-PrintJob||Suspends a print job on the specified printer.|
|Write-PrinterNfcTag||Writes printer connection data to an NFC tag.|
One capability glaringly missing from the PrintManagement module is the ability to control printer permissions. However, TechNet script center comes to the rescue. A script found on the TechNet Script Center, Set-PrinterPermissions.ps1, fills the gap in the natively included PrintManagement PowerShell module.
Using the Set-PrinterPermissions PowerShell script, you can modify the ACE entries of your printers that are installed, either locally or on a print server. The parameters that can be passed to the script include the following:
- ServerName - Specify the SamAccountName of a server on which to modify printer permissions.
- AccountName - Specify the SamAccountName or userPrincipalName of a User or Group on which to modify or create permissions.
- SinglePrinterName - Specify an individual printer to modify permissions on. If no printer is specified, all printers on the target server will be updated.
- AccessMask - The permission Access Mask to be applied. Only relevant printer bit masks are represented: "ManagePrinters," "ManageDocuments," "Print," "TakeOwnership," "ReadPermissions," or "ChangePermissions." The default value is "Print."
- Deny - AccessMask AccessType will be set to "Deny." Default is to "Allow."
- Remove - Removes all Access Control Entries associated with the specified Account Name.
- AceFlag - A bit flag that indicates permission propagation:
- 0x0001 - OBJECT_INHERIT_ACE
- 0x0002 - CONTAINER_INHERIT_ACE
- 0x0004 - NO_PROPAGATE_INHERIT_ACE
- 0x0008 - INHERIT_ONLY_ACE
- 0x0010 - INHERITED_ACE
- IntAccessMask - uint32 representation of an access mask. If used, it overrides the AccessMask parameter.
- NoLog - Specify not to create a log file.
- LogFile - The path and file name of the desired log file. "C:\Logfile.txt"
Let’s look at an example of adding permissions to print to a locally attached printer to a domain group.
- ps1 -SinglePrinterName “<your printer name>” -AccountName “<Your user/domain group>” -AccessMask “Print”
After running the script, you can verify that permissions have been added to the printer on the Security tab. Note that we now have an entry for the TestGroup domain group.
What about removing permissions from a printer? Let’s take a look at the use case we mentioned earlier. You may need to remove the Everyone group from the permissions on a printer.
Using the Set-PrinterPermissions script, we can easily remove the ACE entry for Everyone with the following:
- Set-PrinterPermissions.ps1 -SinglePrinterName <your printer name> -AccountName “Everyone” -Remove
After running the script, we can verify that the Everyone group has been removed from the Printer permissions.
Wrapping up ^
PowerShell provides the ability to manage, configure, and administer printers, including permissions. Although the native PrintManagement PowerShell module is deficient in its ability to provide permissions management, the Set-PrinterPermissions script is a great way to manage permissions on both locally attached printers and printers found on a print server. This provides a powerful way to automate permissions management of printers as well as to remediate any configuration drift that may happen in an environment over time.