Re: Delegating Rights to Help Desk Users

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I've run into another issue.
It looks like I have to repeate this step on every print server because of
the unique SID's in the security descriptor. I really need to automate this
at the time of the printer installs.

I'm using prnport.vbs,prnmgr.vbs & prncnfg.vbs to automate the install from
a csv file.

Is there another way that you know of to do this ?
I can use setACL.exe but that means I have to make the file available on
every server.

"Matt Carmichael" wrote:

I managed to get it working following your example (which is what I had been
doing) but with one difference.

I was doing what all good admins do "runas" with elevated privileges.
Once I logged on with the admin account it worked.

Moral of the story "not everything works from the command prompt using runas"
Thank you very much for you help

"Alan Morris [MSFT]" wrote:

Make sure you move the " " when getting the example and setting the next
printer

E:\>setprinter -examples 3

Used to set print queue security. Note: Security settings can only be set
as a whole. No support is provided for partial modifications.

To see current settings:
SetPrinter -show PrinterName 3

To change security settings (see "Security Descriptor String Format" in MSDN
or SDKdocs for details):
*** WARNING: this could make the print queue inaccessable and require the
use of a
registry editor to fix ***
SetPrinter PrinterName 3
"pSecurityDescriptor=O:BAG:DUD:(A;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;L
CSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

To leave the settings unchanged (but what's the point then):
SetPrinter PrinterName 3 "pSecurityDescriptor=NULL"



So I setup 123printme and get the security descriptor.

E:\>setprinter -show 123printme 3

pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

then I take this descriptor from the configured printer and set it on test
printer.

E:\>setprinter test 3
"pSecurityDescriptor=O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;SWRC;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCS
WSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-2127521184-1604012920-1887927527-00032)"

Set printer on 'test' succeeded.




--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

"Matt Carmichael" <MattCarmichael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:E338F74B-33D0-4636-8E9A-6E480FC69C74@xxxxxxxxxxxxxxxx
Alan,
Good to see your still hanging out in here.
I am trying this on my local machine with Admin rights.


"Alan Morris [MSFT]" wrote:

I still hang out here. Are you performing this local or to a remote
server?

1307 ERROR_INVALID_OWNER

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Matt Carmichael" <MattCarmichael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:579A78FD-45DA-4E1C-A519-1609CAED376C@xxxxxxxxxxxxxxxx
I need to add a group to all printers with the "Manage Documents"
Permission's.

I have found a document from the Windows Printing Team with the
following.
You will need the setprinter.exe utility from the Windows resource kit
level 3
set a printer with the security you want. View the security for that
printer, then apply the same security descriptor for a single printer
or
all
the printers on a system. This will work locally or targeting a remote
machine.

I have tried this but end up with the following error
Unable to set printer on 'hp5si'. Error code 1307.
"This security ID may not be assigned as the owner of this object."






.

Relevant Pages

  • RE: AD Magic
    ... The point is that you check if the user are member of the groups which are effected by the automatic reset. ... permissions to access the mailbox and go through the items therein ... If a security descriptor for a user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating Rights to Help Desk Users
    ... Alan Morris ... Windows Printing Team ... the unique SID's in the security descriptor. ...
    (microsoft.public.win2000.printing)
  • Re: Bug oder feature? NTFS Rechte
    ... >"In Relaxed Security mode, the security descriptor ... >USER) is added to each member of the Users group. ... Windows NT 4.0, ... the presence of the security descriptor ...
    (microsoft.public.de.german.windows.terminaldienste)
  • Re: Delegating Rights to Help Desk Users
    ... Used to set print queue security. ... Security settings can only be set ... To change security settings (see "Security Descriptor String Format" in MSDN ... Windows Printing Team ...
    (microsoft.public.win2000.printing)
  • Re: Delegating Rights to Help Desk Users
    ... Used to set print queue security. ... To change security settings (see "Security Descriptor String Format" in MSDN ... Windows Printing Team ... I am trying this on my local machine with Admin rights. ...
    (microsoft.public.win2000.printing)