Delegating Printer Management Tasks in Windows Server 2003

Delegating Printer Management Tasks in Windows Server 2003

  • Comments 1
  • Likes

 

Hello AskPerf readers.  My name is Randy Grogan and this is my first post on this blog.  If you are familiar with some of the Printing Improvements in Windows Server 2008 R2 then you may already know how much easier it is to Delegate Printer Management tasks to non-admin users.  Although things are much improved in Win2K8 R2, there are still a lot of Windows Server 2003 Print Servers in use and we are often asked how to accomplish this task with this platform.

The answer has both good and bad news.  First the good; It is possible to apply a set of custom permissions to all of your printers.  Now the bad; The permissions you setup will be populated to every printer and new printers will not receive the custom permissions.  So, if you have a new delegation model to apply to your existing Windows Server 2003 Print Server then the steps below will help you with the implementation.

The majority of the modifications that need to be done are changes on the local Print Server.  The only aspects of this delegation that can be applied via GPO are the local User Rights explained later in this post.


Task 1: Modifying the printer permissions

The actions that will be followed in this step with require a tool from the Windows Server 2003 Resource Kit, SetPrinter.exe.  This tool can be downloaded from the following link:


http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

It is important to understand that SetPrinter.exe does not modify permissions, it replaces them.  When we use this tool later, the effective permissions for all queues will be replaced to match the security descriptor of our “model printer”.  Additionally, the permissions that are set with this tool will not be inherited by print queues that are setup after following these steps.  This means that the desired permissions will need to be applied to all new printers on an ongoing basis.  You might implement a change control process for new printer installs so that the desired permissions are configured going forward.There is no supported method for automating this in Windows Server 2003.

Actions for modifying the printer permissions:

  • BACK UP YOUR SERVER!  You will need a good System State backup to revert these changes if you wind up with undesired results!
  • Pick an existing printer or install a new one to be used as the model for the desired permissions.
  • Configure this printer with the desired Security Group and permissions via the security tab.

To achieve this task, we will use the local Print Operators group.  On the model Printer, add the local Print Operators group in the security tab.  Give this group the desired permissions.  In the screenshot below, we are giving Print, Manage Printers and Manage Documents permissions.

image

 

  • Use the SetPrinter -show command to dump the security descriptor of the model printer that has the desired security permissions.  We will output the security descriptor into a text file so that we can copy and paste it in another step. From a command prompt, type the following command:


SetPrinter -show "printername" 3 > PrinterPerms.txt

Where Printername is the name of the printer that has the permissions/credentials needed. (e.g. \\servername\printsharename)

Open the text file and you should see the security descriptor info.  While it may be different on your system, it will look similar to the following string.

NOTE: The security descriptor below is an illustration only!  Do not use this example on your server!

pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PO)(A;OIIO;RPWPSDRCWDWO;;;PO)"

  • Use the SetPrinter command to replace printer permissions on all existing printers using the security descriptor that was dumped from the model printer.

From a command prompt, type the following command.
SetPrinter \\Servername 3 pSecurityDescriptor="credentials"

Where credentials is the string listed as the value for pSecurityDescriptor.

After following the steps above, you should now see that the local Print Operators group has been added to all existing print queues.

REMEMBER: SetPrinter.exe does not provide partial permission modifications.   It will always replace all permissions with whatever is provided to it.

 

Now that the permissions have been set, we now need to give this right to a Domain Global group.

 

Task #2: Implementing the Security Group configuration

Create a Domain Global group that will be used for your Printer Management Role.  You will add the individual user accounts to this group when the users need to assume this task.  Add this new Domain Global group to the local Print Operators group on your Print Server.

image  image

After these steps have been completed, you now have delegated Printer Management rights to members of the Group “PrintOps” as illustrated in the example screen shots.

 

Task 3: Giving the Print Operators the appropriate rights on the Print Server

You will need to give the local Print Operators group additional permissions so that members can log on to the server and install Print drivers.  The suggested user rights are listed below.  These rights can be configured through local policy settings or via GPO.

  • Allow log on locally (Not required if only RDP access will be used)
  • Load and unload device drivers. (This is required for Printer Driver Installs)

Tip: You may want to allow your Print Operators to log on through Terminal Services.  To achieve this, you should add the Domain Global group to the local Remote Desktop Users group. This will let these users logon to the server for these Printer Management Tasks

 

With that, I conclude this post.  Until next time…

-Randy Grogan

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • You should consider adding a note here that using the domain print operators group specifically is a bad idea.

    It will put all the members under the purview of adminSDHolder which has a tendency to cause issues and there are also various things delegated by default to this group at the domain level that will give the members wider ranging permissions including on AD DCs.