I'm attempting to read and eventually write the DACLs for printers shared from my print server. Here's what I have so far, based on scripts found around the internet:
$pace = DATA {
ConvertFrom-StringData -StringData @'
983052 = ManagePrinters
983088 = ManageDocuments
131080 = Print
524288 = TakeOwnership
131072 = ReadPermissions
262144 = ChangePermissions
'@
}
$flags = @(983052, 983088, 131080, 524288, 131072, 262144)
$printers = Get-WmiObject -Class Win32_Printer -ComputerName "NAME"
"Got Printers"
foreach ($printer in $printers)
{
""
"Printer: $($printer.DeviceID)"
$sd = $printer.GetSecurityDescriptor()
$ssd = $sd.Descriptor.DACL
foreach ($obj3 in $ssd)
{
""
"$($obj3.Trustee.Domain) $($obj3.Trustee.Name)"
foreach ($flag in $flags)
{
if ($obj3.AccessMask -band $flag)
{
$pace["$($flag)"]
}
}
}
}
However, I can't make sense of the output. It seems like there are duplicate entries for each domain/name pair except for Creator Owner. However, the duplicates have different access masks than the first. Which ones are the entries I want to look at if I want to confirm the permissions are what I see in the printer's security tab? Writing new permissions shouldn't be a problem once I figure out which access masks to set.
Edit: There also seems to be a problem with the loop to read the bit mask. I got that from another script that's supposed to work.
Edit: Here's some sample output I'm trying to understand:
Got Printers
Printer: printer
DOMAIN jshier
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions
DOMAIN jshier
AccessMask: 983088
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions
CREATOR OWNER
AccessMask: 268435456
Everyone
AccessMask: 131080
ManagePrinters
ManageDocuments
Print
ReadPermissions
Everyone
AccessMask: 536870912
BUILTIN Administrators
AccessMask: 983052
ManagePrinters
ManageDocuments
Print
TakeOwnership
ReadPermissions
ChangePermissions
BUILTIN Administrators
AccessMask: 268435456
This output doesn't match what I see in the Advanced Security Settings for the printer. For example, the first instance of my user account should have all permissions except "Manage documents". And Everyone should just have a single entry with permissions for "Print" and "Read permissions". Am I missing something in my AccessMask conversion?
BTW, this is Win. Server 2008 R2.
Best Answer
That sounds like the expected behavior to me. For example, if you examine the printer security using the Printer Management console, you may notice that there is a single ACE entry for a given security principal, with checkboxes for Print, Manage this Printer, and Management Documents.
However, if you click the Advanced security page, there may be two ACE's for that security principal, one for Manage this Printer and a second for Manage Documents, and there is usually an ACE for Everyone for the Print permission.
If you are interested in how the operating system defines and interprets these permissions, here is one possible view. As you can see, Manage Printers includes several other permissions, so that may explain the output.