Thoughts from the EPS Windows Server Performance Team
Hello AskPerf readers. My name is Randy Grogan and this is my first post on this blog. If you are familiar with some of the Printing Improvements in Windows Server 2008 R2 then you may already know how much easier it is to Delegate Printer Management tasks to non-admin users. Although things are much improved in Win2K8 R2, there are still a lot of Windows Server 2003 Print Servers in use and we are often asked how to accomplish this task with this platform.
The answer has both good and bad news. First the good; It is possible to apply a set of custom permissions to all of your printers. Now the bad; The permissions you setup will be populated to every printer and new printers will not receive the custom permissions. So, if you have a new delegation model to apply to your existing Windows Server 2003 Print Server then the steps below will help you with the implementation.
The majority of the modifications that need to be done are changes on the local Print Server. The only aspects of this delegation that can be applied via GPO are the local User Rights explained later in this post.
Task 1: Modifying the printer permissions
The actions that will be followed in this step with require a tool from the Windows Server 2003 Resource Kit, SetPrinter.exe. This tool can be downloaded from the following link:
It is important to understand that SetPrinter.exe does not modify permissions, it replaces them. When we use this tool later, the effective permissions for all queues will be replaced to match the security descriptor of our “model printer”. Additionally, the permissions that are set with this tool will not be inherited by print queues that are setup after following these steps. This means that the desired permissions will need to be applied to all new printers on an ongoing basis. You might implement a change control process for new printer installs so that the desired permissions are configured going forward.There is no supported method for automating this in Windows Server 2003.
Actions for modifying the printer permissions:
To achieve this task, we will use the local Print Operators group. On the model Printer, add the local Print Operators group in the security tab. Give this group the desired permissions. In the screenshot below, we are giving Print, Manage Printers and Manage Documents permissions.
SetPrinter -show "printername" 3 > PrinterPerms.txt
Where Printername is the name of the printer that has the permissions/credentials needed. (e.g. \\servername\printsharename)
Open the text file and you should see the security descriptor info. While it may be different on your system, it will look similar to the following string.
NOTE: The security descriptor below is an illustration only! Do not use this example on your server!
From a command prompt, type the following command. SetPrinter \\Servername 3 pSecurityDescriptor="credentials"
Where credentials is the string listed as the value for pSecurityDescriptor.
After following the steps above, you should now see that the local Print Operators group has been added to all existing print queues.
REMEMBER: SetPrinter.exe does not provide partial permission modifications. It will always replace all permissions with whatever is provided to it.
Now that the permissions have been set, we now need to give this right to a Domain Global group.
Task #2: Implementing the Security Group configuration
Create a Domain Global group that will be used for your Printer Management Role. You will add the individual user accounts to this group when the users need to assume this task. Add this new Domain Global group to the local Print Operators group on your Print Server.
After these steps have been completed, you now have delegated Printer Management rights to members of the Group “PrintOps” as illustrated in the example screen shots.
Task 3: Giving the Print Operators the appropriate rights on the Print Server
You will need to give the local Print Operators group additional permissions so that members can log on to the server and install Print drivers. The suggested user rights are listed below. These rights can be configured through local policy settings or via GPO.
Tip: You may want to allow your Print Operators to log on through Terminal Services. To achieve this, you should add the Domain Global group to the local Remote Desktop Users group. This will let these users logon to the server for these Printer Management Tasks
With that, I conclude this post. Until next time…
You should consider adding a note here that using the domain print operators group specifically is a bad idea.
It will put all the members under the purview of adminSDHolder which has a tendency to cause issues and there are also various things delegated by default to this group at the domain level that will give the members wider ranging permissions including on AD DCs.