Powershell: Unable to add "Manage Documents" rights to printers

Jim Drury 1 Reputation point
2022-09-15T20:33:30.74+00:00

Summary: I am unable to add "Manage Documents" rights to printers via Powershell. If I use a deprecated method I can add "Manage Documents" to normal users/groups, but not BUILTIN groups.

This issue has turned my brain to jelly, I really hope you fine people can be of assistance. I have done so much reading and searching on this, but have not found a solution.

The core issue with Set-Printer and DiscretionaryAcl.AddAccess is laid out extremely well in this closed post, which was never resolved. The TL;DR is that "Manage Documents" requires the AceFlags to be set to ObjectInherit, InheritOnly. However the .addaccess() function throws an exception if you attempt to do that. Here is some example code that throws an error when trying to set the correct AceFlags for "Manage Documents".

$SecurityDescriptor = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, (Get-Printer -Name 'SourcePrinter' -ComputerName 'PrintServer' -full).PermissionSDDL  
$CreatorOwnerSID = 'S-1-3-0'  
$SecurityDescriptor.DiscretionaryAcl.AddAccess("Allow",$CreatorOwnerSID,983088,"ObjectInherit","InheritOnly")  
Set-Printer -Name 'DestinationPrinter' -ComputerName 'PrintServer' -PermissionSDDL $SecurityDescriptor.GetSddlForm("all") -verbose   

I am able to add "Manage Documents" to a normal user or security group by doing things the old way, which has been deprecated in Powershell 7. However I am not able to add "Manage Documents" to "CREATOR OWNER" or other BUILTIN groups. The following is some example code that works for normal users/groups but does not work BUILTIN groups.

$user = "someuser"  
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()  
$ace = ([WMIClass] "Win32_Ace").CreateInstance()  
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()  
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])  
[byte[]] $SIDArray = ,0 * $SID.BinaryLength  
$SID.GetBinaryForm($SIDArray,0)  
$Trustee.Name = $user  
$Trustee.SID = $SIDArray  
$ace.AccessMask = 983052  
$ace.AceType = 0  
$ace.AceFlags = 9  
$ace.Trustee = $Trustee  
$SD.DACL = $ace  
$SD.ControlFlags = 0x0004  
$Printer = gwmi win32_printer -filter "name = 'someprinter'"  
$Printer.psbase.Scope.Options.EnablePrivileges = $true  
$Printer.SetSecurityDescriptor($SD)  

I need to add "Manage Documents" permissions to "CREATOR OWNER" on about 500 printers. I'd prefer not to have to do it manually via Print Management GUI.

I am happy to provide addition code snippets and talk about testing I have done if that would be helpful. Thank you in advance for any assistance.

Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
676 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,523 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jim Drury 1 Reputation point
    2022-10-03T21:51:59.537+00:00

    This response is not helpful.

    0 comments No comments

  2. MotoX80 33,561 Reputation points
    2022-10-03T22:50:04.713+00:00

    It might not be the answer that you were hoping for, but you might be able to use the suggestion that I had for this question.

    https://learn.microsoft.com/en-us/answers/questions/1029427/powershell-permissionsddl.html

    Creator owner is "CO" in SDDL format. So what you can try is to use the GUI to set the permissions on one printer, and then analyze the SDDL to pick off the entries that you want. Then append those to the current SDDL of the "target" printer.

    I have not tested this, but in theory I would think that it would work.

    $sid = ";CO"       #  or use sid for users/groups "S-1-5-17"  
    $x = Get-Printer "Quicken pdf printer" -Full  
    "Here are the permissions."  
    $x.PermissionSDDL  
    ""  
    $z = $x.PermissionSDDL.split('(') | foreach {"($_"}   
    $z  
    $AddThese = -join ($z | Where-Object {$_ -match $sid})  
    ""  
    "Here is the string to append."  
    $AddThese  
    

    Something like this...

    $tgt = Get-Printer OtherPrinter -Full  
    #todo:  Test to see if AddThese has already been added to the SDDL...   
    $tgt.PermissionSDDL = $tgt.PermissionSDDL + $AddThese  
    $tgt | Set-Printer  
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.