By default, the Everyone group is assigned print permissions to local printers in Windows. This is typically a good thing, but what if you want to limit printing to only a specific group of users? The following PowerShell script can help; it will replace the permissions assigned to the Everyone group with an alternate Active Directory group. To use the script, set $device to the name of the local printer, $domain to the Active Directory domain (in which the group is located), and $group to the name of the group. Here is the code:
$device = 'printer name'
$domain = 'lab'
$username = 'group name'
$printer = gwmi -enableallprivileges win32_printer | ? name -eq $device
$sd = ($printer.getsecuritydescriptor()).descriptor
$newsd = ([wmiclass]"win32_securitydescriptor").createinstance()
$newsd.controlflags = $sd.controlflags
$ace = ([wmiclass]"win32_ace").createinstance()
$trustee = ([wmiclass]"win32_trustee").createinstance()
$account = new-object system.security.principal.ntaccount($domain, $username)
$sid = $account.translate([system.security.principal.securityidentifier])
$trustee.domain = $domain
$trustee.name = $username
$trustee.sidstring = $sid.value
$ace.trustee = $trustee
$ace.accessmask = 131080 # print + read.
$sd.dacl | where-object { $_.trustee.name -ne 'everyone' } | %{
$acex = $_
$newsd.dacl += @($acex.psobject.baseobject)
}
$newsd.dacl += $ace
$printer.setsecuritydescriptor($newsd)