Home HOW-TO How to distribute or change the print queue objects security descriptor in Windows Server 2008 R2 – Automation for administrators

How to distribute or change the print queue objects security descriptor in Windows Server 2008 R2 – Automation for administrators

by Cengiz Kuskaya

Solution :

In Windows Server 2008 and 2008 R2 the current owner of a print queue is SYSTEM and not Local Admin like in Windows Server 2003.Therefore we have to do our actions under the System Account.

Steps :

1) Create a test print queue on windows server 2008 and 2008 R2 and modify the security of the print queue over the print queues properties.(Add or change the group’s you want).

2) Grab the setprinter.exe tool from the Reskit and show the security descriptor of the print queue. Like in the example below.

C:\Windows\System32\>setprinter -show \\PrintServerName\HP2300 3 pSecurityDescriptor="O:S-1-5-21-72051607-1745760036-109187956-53879G:DUD:(A;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

3) After that create a batch job like mentioned below to distribute the security descriptor to all print queues on a specific 2008 print server.Batch Job:Save it under C:\distribute.bat

setprinter \\PrintServerName 3 pSecurityDescriptor="O:S-1-5-21-72051607-1745760036-109187956-53879G:DUD:(A;CIIO;RC;;;CO)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)(A;;LCSWSDRCWDWO;;;PU)(A;OICIIO;GA;;;PU)"

4) Grab the psexec tool from sysinternals and save it under \system32 .

5) Start run > psexec –s cmd.exe > to run the cmd under SYSTEM Account.

6) You can check over the task manager if cmd.exe is really running under system account.

7) At the command prompt type > C:\distribute.bat .

Now the security descriptors on all print queues will be changed.