Managing permissions on files, folders, and other objects can be tedious. This includes managing permissions on printers. In this post, we will take a look at how printer permissions can easily be managed using PowerShell.

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Many aspects of infrastructure must be managed by the IT admin. Printers are one of the devices in today’s networks that are simple in function but often complicated to manage and maintain. However, with PowerShell, many of the more complicated tasks that have been performed manually by admins can be automated.

One aspect of configuring and maintaining printers is security. Printer security must be configured so that only authorized users can print, manage, or administer printers on the network. Setting up permissions can be very tedious to configure manually. However, by using PowerShell to alter the Windows permissions assigned to printers, securing printer permissions can easily be automated. Let’s look at how to manage printer security with PowerShell.

Methodology for assigning printer permissions ^

Like folders, files, and other shared objects on the network, printers have both Access Control Lists (ACLs) and Access Control Entries (ACEs). The Access Control List houses the Access Control Entries. In the world of Microsoft Windows server groups and best practices, Microsoft recommends placing users in groups and nesting these groups in a certain manner. A familiar acronym describing this method of assigning permissions in the very common Windows Server domain is AGDLP, which helps you to remember that objects are nested in the following order:

  1. Accounts
  2. Global Groups
  3. Domain Local Groups
  4. Permissions

This same methodology applies to assigning permissions to printers. Users and computer accounts are placed inside Global Groups, and Global Groups are then placed inside of the Domain Local Groups that are assigned permissions.

Using this methodology, you can easily implement effective (RBAC) for your organization. Based on a certain role, a user, group, or other object gets a certain set of permissions. Much like files and folders, printers are a resource on the network that are assigned permissions. Users and groups often get printer permissions based on their roles in the organization.

By default, when you create a printer, Windows—as it does in the case of all objects—assigns a certain set of default permissions that allow users to connect to the printer and perform the basic functions. The default permissions assigned include adding the Everyone group to the ACEs of the printer so that all users can print to the printer.

However, for many different reasons, certain printers may need to be restricted from allowing anyone who has a network login to print to a specific printer; for example, in order to restrict who can print to certain department printers. In many environments, printers are often located in specific locations for the use of certain departments. For purposes of billing individual departments for printer resources such as the cost of consumables, it may be necessary to restrict printing permissions to only those departments for which the printer is configured.

Default permissions assigned to Everyone group in Windows

Default permissions assigned to Everyone group in Windows

Let’s see how we can use PowerShell to control permissions for printers in order to both add and remove permissions as needed in a Windows environment.

Manage printer security with PowerShell ^

It seems as if there are PowerShell modules and cmdlets to control, manage, or configure just about any aspect of the Windows Server infrastructure. Printers are no exception. There is an official PowerShell module for interacting with Windows printers.

The PrintManagement module allows interacting with printers and the performance of many handy tasks when it comes to managing printers. The PrintManagement module includes the

CmdletDescription
Add-PrinterAdds a printer to the specified computer.
Add-PrinterDriverInstalls a printer driver on the specified computer.
Add-PrinterPortInstalls a printer port on the specified computer.
Get-PrintConfigurationGets the configuration information of a printer.
Get-PrintJobRetrieves a list of print jobs in the specified printer.
Get-PrinterRetrieves a list of printers installed on a computer.
Get-PrinterDriverRetrieves the list of printer drivers installed on the specified computer.
Get-PrinterPortRetrieves a list of printer ports installed on the specified computer.
Get-PrinterPropertyRetrieves printer properties for the specified printer.
Read-PrinterNfcTagReads information about printers from an NFC tag.
Remove-PrintJobRemoves a print job on the specified printer.
Remove-PrinterRemoves a printer from the specified computer.
Remove-PrinterDriverDeletes printer driver from the specified computer.
Remove-PrinterPortRemoves the specified printer port from the specified computer.
Rename-PrinterRenames the specified printer.
Restart-PrintJobRestarts a print job on the specified printer.
Resume-PrintJobResumes a suspended print job.
Set-PrintConfigurationSets the configuration information for the specified printer.
Set-PrinterUpdates the configuration of an existing printer.
Set-PrinterPropertyModifies the printer properties for the specified printer.
Suspend-PrintJobSuspends a print job on the specified printer.
Write-PrinterNfcTagWrites printer connection data to an NFC tag.

One capability glaringly missing from the PrintManagement module is the ability to control printer permissions. However, TechNet script center comes to the rescue. A script found on the TechNet Script Center, Set-PrinterPermissions.ps1, fills the gap in the natively included PrintManagement PowerShell module.

Using the Set-PrinterPermissions PowerShell script, you can modify the ACE entries of your printers that are installed, either locally or on a print server. The parameters that can be passed to the script include the following:

  • ServerName - Specify the SamAccountName of a server on which to modify printer permissions.
  • AccountName - Specify the SamAccountName or userPrincipalName of a User or Group on which to modify or create permissions.
  • SinglePrinterName - Specify an individual printer to modify permissions on. If no printer is specified, all printers on the target server will be updated.
  • AccessMask - The permission Access Mask to be applied. Only relevant printer bit masks are represented: "ManagePrinters," "ManageDocuments," "Print," "TakeOwnership," "ReadPermissions," or "ChangePermissions." The default value is "Print."
  • Deny - AccessMask AccessType will be set to "Deny." Default is to "Allow."
  • Remove - Removes all Access Control Entries associated with the specified Account Name.
  • AceFlag - A bit flag that indicates permission propagation:
    • 0x0001 - OBJECT_INHERIT_ACE
    • 0x0002 - CONTAINER_INHERIT_ACE
    • 0x0004 - NO_PROPAGATE_INHERIT_ACE
    • 0x0008 - INHERIT_ONLY_ACE
    • 0x0010 - INHERITED_ACE
  • IntAccessMask - uint32 representation of an access mask. If used, it overrides the AccessMask parameter.
  • NoLog - Specify not to create a log file.
  • LogFile - The path and file name of the desired log file. "C:\Logfile.txt"

Let’s look at an example of adding permissions to print to a locally attached printer to a domain group.

  • ps1 -SinglePrinterName “<your printer name>” -AccountName “<Your user/domain group>” -AccessMask “Print”
Adding permissions for a domain group to a local printer

Adding permissions for a domain group to a local printer

After running the script, you can verify that permissions have been added to the printer on the Security tab. Note that we now have an entry for the TestGroup domain group.

After adding print permissions for a domain group using the Set PrinterPermissions.ps1 script

After adding print permissions for a domain group using the Set PrinterPermissions.ps1 script

What about removing permissions from a printer? Let’s take a look at the use case we mentioned earlier. You may need to remove the Everyone group from the permissions on a printer.

Everyone Group has Print permissions by default

Everyone Group has Print permissions by default

Using the Set-PrinterPermissions script, we can easily remove the ACE entry for Everyone with the following:

  • Set-PrinterPermissions.ps1 -SinglePrinterName <your printer name> -AccountName “Everyone” -Remove
Running the set printerpermissions script to remove the Everyone Group

Running the set printerpermissions script to remove the Everyone Group

After running the script, we can verify that the Everyone group has been removed from the Printer permissions.

Everyone Group is removed using the Set PrinterPermissions script

Everyone Group is removed using the Set PrinterPermissions script

Wrapping up ^

PowerShell provides the ability to manage, configure, and administer printers, including permissions. Although the native PrintManagement PowerShell module is deficient in its ability to provide permissions management, the Set-PrinterPermissions script is a great way to manage permissions on both locally attached printers and printers found on a print server. This provides a powerful way to automate permissions management of printers as well as to remediate any configuration drift that may happen in an environment over time.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
Share
3 Comments
  1. Matt D 3 months ago

    Very cool!  Can't wait to put this into action!!

    0

  2. Chris 3 months ago

    doesn't work on windows 10 though. or might be me.

     

    .\Set-PrinterPermissions.ps1 -SinglePrinterName "Canon IR-ADV C7260 #14-03"-AccountName "Everyone" -AccessMask "ManagePrinters"

     

    a log file is created which says

    Started: 08/29/2019 15:17:00

    ERROR: New-Win32_Trustee()
    Type: System.Management.Automation.MethodInvocationException
    Message: Exception calling "GetBinaryForm" with "2" argument(s): "Destination array was not long enough. Check destIndex and length, and the array's lower bounds."

    1 Printer(s) to be updated.
    Account: Everyone
    Mask: 983052 ManagePrinters
    Type: 0
    Flag: 4

    ERROR: Set-PrinterPermissions()
    Type: System.Management.Automation.RuntimeException
    Message: Cannot convert value "2147749896" to type "System.Int32". Error: "Value was either too large or too small for an Int32."

    Finished: 08/29/2019 15:17:08

    0

  3. Ross 7 days ago

    I have this same error when trying to use "Authenticated Users" on Server 2016. But adding normal domain accounts works perfect

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account