This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 57.99999999999999%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I used this powershell to add a security group call ''GRADM'' set on my printer ''IMP00107'' to all of my print servers which will set the group to have the Manage Documents permission but when I run the script security group is created and ather existing group in the printers are overwrited. Is it the way to add group ''GRADM'' and keep existing Group ?
$Printserver = "ps01"
$printsecurity = get-printer -computer $Printserver "IMP00107" -full
get-printer Printer002 -computer $Printserver | Foreach-Object {
set-printer $_.name -computer $Printserver -PermissionSDDL $printsecurity.PermissionSDDL
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
If you want your existing security groups to be merged with the new security groups then you must create a nested group. You can add an existing Security Group to another Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.
You can use Add-ADGroupMember to add a group to another group. Here's the syntax:
http://technet.microsoft.com/en-us/library/ee617210.aspx
Manage Azure Active Directory groups and group membership https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups
--------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
How are you adding the ACE for the group "GRADM" to the printer's SDDL?
I created group ''GRADM'' with AD, I added the group in one of my printer ''IM00107'' after that I used the script to add that group with all PermissionSDDL(ACL) to all my others printers. The way is the script add the group on all printers but other existing groups are deleted
What you've done is to replace the SDDL on the other printers with the SDDL from the printer IMP000107. That's okay if all the printers are expected to have the same permissions as IMP000107. It's not okay if other printers are expected to have different sets of permissions.
Let's say IMP000107 has permission for groups A, B, and C. And XYZ000010 has permission for groups A,B, and D. To add GRADM to each SDDL you have to modify each printer's SDDL individually.
HI,
IMP00107 printer has 3groups with permission A,B,C another printer IMP150 has 2 group with permission D,E, The script have to add one one group of IMP00107 with permission C to other printer (120printers) but the script delete every other groups and replace only with is own 3 group. That not working for me. I have around 120 printers change printer by printer is not efficient .
Thank
The Set-Printer cmdlet replaces the SDDL on the target printer. It doesn't add anything!
You need to get the existing SDDL from the target printer, then create an ACE for the group GRADM and add that new ACE to the SDDL. Then use Set-Printer to replace the existing SDDL with the SDDL you modified (the one with the new ACE for the group GRADM).
Download Psgetsid and use it to get the SID of the account.
https://learn.microsoft.com/en-us/sysinternals/downloads/psgetsid
This code will build the string that you need to append to the existing SDDL's.
$sid = "S-1-5-17" # The SID of the desired account
$x = Get-Printer "Quicken pdf printer" -Full
"Here are the permissions."
$x.PermissionSDDL
""
$z = $x.PermissionSDDL.split('(') | foreach {"($_"}
$AddThese = -join ($z | Where-Object {$_ -match $sid})
""
"Here is the string to append."
$AddThese
You should test the existing permissions to see if the account was already added. Test against one printer first before you run it against all 120 printers.
Note that I have not tested actually updating the SDDL.
Rich probably has some additional thoughts.
Instead of creating a new ACE, I'd just get the one for the GRADM group (using the SID to find it) in the SDDL he placed on the IMP000107 printer. Then add that ACE to each SDDL on the other printers.
Thank for your answer, I get the SID and ran the script on one printer, but no result, I'm still looking for other way I think with with SID now it will be good
ran the script on one printer, but no result,
After you appended the data in the $AddThese variable to the current permissions in PermissionSDDL, did you reread to verify that they had been set correctly? What do you mean by "no result"?
HI, I mean that the script never end it like static. But I’m still on it
Post the script.