Yes, with a startup script.
setprinter.exe, included with the Windows 2003 resource kit. You can use:
setprinter.exe 3 "pSecurityDescriptor=xxxxxxxxxx"
You would need to loop through all of the installed printers, and apply the new ACL. This would assume you could use the same ACL for all printers on all workstations. This may not be a problem as most people don't use custom security on local printers.
"pSecurityDescriptor= is in SDDL form. Use setprinter -examples 3 to get more info.
Set a printer with the security the way you want it, the use setprinter -show printerName 3 to get the text of how the SDDL should be applied.
This is what the command and SDDL looks like when Everyone has Manage Printers and all the other permissions are generic defaults:
setprinter.exe 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"
All of that must be on one line.
Here is some PowerShell code that lists the printers:
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{$_.Name}
so the command to do the work would be
Get-WMIObject Win32_Printer -ComputerName $env:computername | foreach-object{setprinter.exe $_.Name 3 pSecurityDescriptor="O:BAG:DUD:(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;BA)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;WD)(A;OIIO;RPWPSDRCWDWO;;;PU)(A;;LCSWSDRCWDWO;;;PU)"}
Again, that must be all one line.
Turned out to be a permissions issue. Connecting via remote desktop as the server administrator worked, so we started removing restrictions on local drives until it started working again for the standard users and we could work out where it was trying to write to.
Best Answer
I came across this question realizing I never posted what I did, ultimately I figured out a way to use SUBINACL.exe (needs to be in a path directory like System32)
and passed it through a powershell loop of all the printers
here's the code, run it from the PS Console as Administrator on the Print Server
I don't work there anymore but I hope someone benefits from finding this.