Delegating Printer Management

[Guest]

Our Help Desk manager wants his team to be able to clear printer queues on
any printer in our forest. We have over 1000 print queues and do not want the
IT-Helpdesk group to have Power User rights on the print servers. We ju8st
want them to manage documents on the printers. The only references that I've
found in Technet say to add the group to the Print Operators then add Print
Operators to the loacal Power Users group on the print server.Which gives
them way too much power over the server. Is there another way of delegating
the correct amount of control?

 

[Felix Maxa [MSFT]]

There are 2 important securable objects in the printing space: servers and
queues.

Servers
The security descriptor for servers is hard coded, which makes delegation a
problem. The references you found are correct. An admin acts on a server
when adding queues, adding/deleting ports, forms, printer drivers.

Queues
Once a queue is added, permissions to the queue are granted based on the
security descriptor for the queue. The security descriptor for print queues
is configurable. We ship a tool setprinter.exe in the resource kit. This
tool can change security descriptors for a particular queue on a server or
for all the queues on the server. You can do the following:

1. Add a domain group "PrintQueueManagers" or something like that
2. Add the appropriate users to that group
2. In a script: for each print server in your domain call SetPrinter.exe
to update the security descriptor for queues to include
your-domain\PrintQueueManagers with admin permission on the queue

The members of this group will be able to pause/resume/delete/configure
queues, pause/resume/delete print jobs. They will NOT be able to add new
queues or printer drivers or ports or forms.

 

[Guest]

We're running Windows 2000 servers as well as Windows 2003. I don't see a
setprinter.exe in the Windows 2000 resource kit and the 2003 kit requires XP
or higher to install.

Don Gertz
Multnomah County Oregon

 

[Guest]

We have both Windows 2000 and Windows 2003 servers acting as print servers. I
don't see setprinter.exe in the Windows 2000 Resource Kit and the W 2003
resource kit won't install on Windows 2000 servers.

Don Gertz

 

[Alan Morris\(MSFT\)]

install on your server 2003 system. The binary will work on Win2k or you
can use this remotely

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Can you give me an example of the script I'd use to add group =
"PrintQueueManagers" with manage documents to all the printers on a remote
server? We have 420 on one W2K server that I know of. I'm having trouble
interpreting the readme for setprinter.exe.

Thanks,
Don Gertz

 

[Mark Stout]

Can some post the command line arguments needed to add the group to
the printer ACL's.

Thank you