Re: Delegating Rights to Help Desk Users

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I managed to get it working following your example (which is what I had been
doing) but with one difference.

I was doing what all good admins do "runas" with elevated privileges.
Once I logged on with the admin account it worked.

Moral of the story "not everything works from the command prompt using runas"
Thank you very much for you help

"Alan Morris [MSFT]" wrote:

Make sure you move the " " when getting the example and setting the next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAG:DUD:(A;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3

pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

"Matt Carmichael" <MattCarmichael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:E338F74B-33D0-4636-8E9A-6E480FC69C74@xxxxxxxxxxxxxxxx
Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.


"Alan Morris [MSFT]" wrote:

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Matt Carmichael" <MattCarmichael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:579A78FD-45DA-4E1C-A519-1609CAED376C@xxxxxxxxxxxxxxxx
I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer
or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."






.

Relevant Pages

  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.security.misc)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
    (microsoft.public.win2000.security)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rather funny; looks like page defacement to me
    ... > afford one (and often when they can't afford one this person works ... On top of all that pressure, ... so I was a bit caustic on the "incompetent admin" point; ... Nobody would hire me (I'm a security engineer) to draw structural diagrams. ...
    (Focus-IDS)