Powershell: Unable to add "Manage Documents" rights to printers

Question

Summary: I am unable to add "Manage Documents" rights to printers via Powershell. If I use a deprecated method I can add "Manage Documents" to normal users/groups, but not BUILTIN groups.

This issue has turned my brain to jelly, I really hope you fine people can be of assistance. I have done so much reading and searching on this, but have not found a solution.

The core issue with Set-Printer and DiscretionaryAcl.AddAccess is laid out extremely well in this closed post, which was never resolved. The TL;DR is that "Manage Documents" requires the AceFlags to be set to ObjectInherit, InheritOnly. However the .addaccess() function throws an exception if you attempt to do that. Here is some example code that throws an error when trying to set the correct AceFlags for "Manage Documents".

$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, (Get-Printer -Name 'SourcePrinter' -ComputerName 'PrintServer' -full).PermissionSDDL  
$CreatorOwnerSID = 'S-1-3-0'  
$SecurityDescriptor.DiscretionaryAcl.AddAccess("Allow",$CreatorOwnerSID,983088,"ObjectInherit","InheritOnly")  
Set-Printer -Name 'DestinationPrinter' -ComputerName 'PrintServer' -PermissionSDDL $SecurityDescriptor.GetSddlForm("all") -verbose   

I am able to add "Manage Documents" to a normal user or security group by doing things the old way, which has been deprecated in Powershell 7. However I am not able to add "Manage Documents" to "CREATOR OWNER" or other BUILTIN groups. The following is some example code that works for normal users/groups but does not work BUILTIN groups.

$user = "someuser"  
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()  
$ace = ([WMIClass] "Win32_Ace").CreateInstance()  
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()  
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])  
[byte[]] $SIDArray = ,0 * $SID.BinaryLength  
$SID.GetBinaryForm($SIDArray,0)  
$Trustee.Name = $user  
$Trustee.SID = $SIDArray  
$ace.AccessMask = 983052  
$ace.AceType = 0  
$ace.AceFlags = 9  
$ace.Trustee = $Trustee  
$SD.DACL = $ace  
$SD.ControlFlags = 0x0004  
$Printer = gwmi win32_printer -filter "name = 'someprinter'"  
$Printer.psbase.Scope.Options.EnablePrivileges = $true  
$Printer.SetSecurityDescriptor($SD)  

I need to add "Manage Documents" permissions to "CREATOR OWNER" on about 500 printers. I'd prefer not to have to do it manually via Print Management GUI.

I am happy to provide addition code snippets and talk about testing I have done if that would be helpful. Thank you in advance for any assistance.

Answer 1

This response is not helpful.

Answer 2

It might not be the answer that you were hoping for, but you might be able to use the suggestion that I had for this question.

https://learn.microsoft.com/en-us/answers/questions/1029427/powershell-permissionsddl.html

Creator owner is "CO" in SDDL format. So what you can try is to use the GUI to set the permissions on one printer, and then analyze the SDDL to pick off the entries that you want. Then append those to the current SDDL of the "target" printer.

I have not tested this, but in theory I would think that it would work.

$sid = ";CO"       #  or use sid for users/groups "S-1-5-17"  
$x = Get-Printer "Quicken pdf printer" -Full  
"Here are the permissions."  
$x.PermissionSDDL  
""  
$z = $x.PermissionSDDL.split('(') | foreach {"($_"}   
$z  
$AddThese = -join ($z | Where-Object {$_ -match $sid})  
""  
"Here is the string to append."  
$AddThese  

Something like this...

$tgt = Get-Printer OtherPrinter -Full  
#todo:  Test to see if AddThese has already been added to the SDDL...   
$tgt.PermissionSDDL = $tgt.PermissionSDDL + $AddThese  
$tgt | Set-Printer