powershell question - print related

Hello. I am a powershell n00b

I would like to have a powershell script that would perform the following:

- audit all print queues on a server and list the network security groups

- list all print queues that have the everyone group

- list all print queues that DO NOT have the everyone group

- output that information to a csv file with server, queue name, everyone group YES / NO

- remove the everyone group from a subset of the output (manually filtered is ok)

- create a log of what queues the everyone group was removed from

- output the log to a csv file with server, queue name, everyone group removed YES / NO

Ideally I would be able to run this from my management server against all of my print servers so being able to use a servers.txt file would be important.

Some of our customers require that the everyone group is removed from some print queues for security reasons. We have 24 print servers and thousands of queues.

I have hacked together a few powershell scripts before but being able to audit then list then change (remove) in bulk the everyone group is beyond my skills. I am researching and trying to learn but as always I am under pressure to come up with this script yesterday.

If anyone has any sample code I could edit or any suggestions on building the script that would be awesome.

Thanks

  • What you are asking for here is a pretty specific thing to your needs and printer management itself is just a pain. Let alone your use case here.

    In general, forums are not the place to ask folks to write stuff for you, but a place to ask for help regarding code you've put together, that is either not working, getting errors or where you feel lost. You really need to show what you tried/have so far.

    PoSH for sure has a set of cmdlets for Printer Management, and the PoHS Help files and TechNet shows you examples of what you can do regarding Print Managements.


        This reference provides cmdlet descriptions and syntax for all print management cmdlets. It lists the cmdlets in alphabetical order

        'docs.microsoft.com/en-us/powershell/module/printmanagement/?view=winserver2012r2-ps'

        *******Disclaimer.  This posting contains scripting samples.  These are
         provided as-is with no guaranties or warranties of any kind.  They are
         not thoroughly tested in all scenarios.

        'blogs.technet.microsoft.com/print/2009/10/16/printer-management-using-powershell'

    Yet, what you are asking for is not a noob thing and I would doubt based on what you are specifically after, that anyone would have something like this. For example I have no share printers in my environment. Hey, but I've been wrong before. So, this is a from scratch effort on your part using the built-in printer cmdlets.

    Yet, my question is, why not do this permission stuff via Group Policy?

    Just search for 'GP preference printer sharing and security permissions for Everyone group'

    Anyway, for your edification, here are some items to consider / leverage.

        # Get all printers
        Get-Printer

        # Get parameters, example, full and Online help for a cmdlet or function

        Get-Printer | Select -Property * -First 1
        (Get-Command -Name Get-Printer).Parameters
        Get-help -Name Get-Printer -Examples
        Get-help -Name Get-Printer -Full
        Get-help -Name Get-Printer -Online

        # Get all printers permissions
        (Get-Printer).Name | % {(Get-Printer $_ -Full).PermissionSDDL}


        # Get the first printer in the list
        Get-Printer | Select -First 1 | Format-Table -AutoSize -Wrap

        # Get first printer permissions -
        (Get-Printer).Name | % {(Get-Printer $_ -Full).PermissionSDDL} | Select -First 1 | Format-Table -AutoSize -Wrap


    Getting / setting SDDL and parsing SID info
    Getting permissions will generate a long list of SDDL with SIDS - which have to be converted human readable

    Roughly, something like...

        ($sddl = ((Get-Printer).Name | % {(Get-Printer $_ -Full).PermissionSDDL} | Select -First 1))
        ($sec = New-Object System.Security.AccessControl.DirectorySecurity)
        $sec.GetSecurityDescriptorSddlForm($sddl)
        $sec.Access


    'msdn.microsoft.com/en-us/library/windows/desktop/aa379570(v=vs.85).aspx'
    'msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.getsecuritydescriptorsddlform(v=vs.110).aspx'
    'msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity.setsecuritydescriptorsddlform(v=vs.110).aspx'
    'blogs.technet.microsoft.com/ashleymcglone/2011/08/29/powershell-sid-walker-texas-ranger-part-1'

    Then using Get-ACL and Set-ACL cmdlets changing things
    'docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ee176838(v=technet.10)'

    Rather than trying to build this yourself, it might be in your best interest to try this too;

    download the 2003 Windows resource kit and use setprinter.exe to determine the security descriptor and then take needed actions.

    'microsoft.com/en-us/download/details.aspx?id=17657'

    or
    'helgeklein.com/setacl/examples/managing-printer-service-and-share-permissions-with-setacl-exe'