Summary: I am unable to add "Manage Documents" rights to printers via Powershell. If I use a deprecated method I can add "Manage Documents" to normal users/groups, but not BUILTIN groups.
This issue has turned my brain to jelly, I really hope you fine people can be of assistance. I have done so much reading and searching on this, but have not found a solution.
The core issue with Set-Printer and DiscretionaryAcl.AddAccess is laid out extremely well in this closed post, which was never resolved. The TL;DR is that "Manage Documents" requires the AceFlags to be set to ObjectInherit, InheritOnly. However the .addaccess() function throws an exception if you attempt to do that. Here is some example code that throws an error when trying to set the correct AceFlags for "Manage Documents".
$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, (Get-Printer -Name 'SourcePrinter' -ComputerName 'PrintServer' -full).PermissionSDDL
$CreatorOwnerSID = 'S-1-3-0'
$SecurityDescriptor.DiscretionaryAcl.AddAccess("Allow",$CreatorOwnerSID,983088,"ObjectInherit","InheritOnly")
Set-Printer -Name 'DestinationPrinter' -ComputerName 'PrintServer' -PermissionSDDL $SecurityDescriptor.GetSddlForm("all") -verbose
I am able to add "Manage Documents" to a normal user or security group by doing things the old way, which has been deprecated in Powershell 7. However I am not able to add "Manage Documents" to "CREATOR OWNER" or other BUILTIN groups. The following is some example code that works for normal users/groups but does not work BUILTIN groups.
$user = "someuser"
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_Ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask = 983052
$ace.AceType = 0
$ace.AceFlags = 9
$ace.Trustee = $Trustee
$SD.DACL = $ace
$SD.ControlFlags = 0x0004
$Printer = gwmi win32_printer -filter "name = 'someprinter'"
$Printer.psbase.Scope.Options.EnablePrivileges = $true
$Printer.SetSecurityDescriptor($SD)
I need to add "Manage Documents" permissions to "CREATOR OWNER" on about 500 printers. I'd prefer not to have to do it manually via Print Management GUI.
I am happy to provide addition code snippets and talk about testing I have done if that would be helpful. Thank you in advance for any assistance.