Pete Hinchley: Use PowerShell to Modify Permissions of Local Printer

By default, the Everyone group is assigned print permissions to local printers in Windows. This is typically a good thing, but what if you want to limit printing to only a specific group of users? The following PowerShell script can help; it will replace the permissions assigned to the Everyone group with an alternate Active Directory group. To use the script, set $device to the name of the local printer, $domain to the Active Directory domain (in which the group is located), and $group to the name of the group. Here is the code:

$device = 'printer name'
$domain = 'lab'
$username = 'group name'

$printer = gwmi -enableallprivileges win32_printer | ? name -eq $device

$sd = ($printer.getsecuritydescriptor()).descriptor

$newsd = ([wmiclass]"win32_securitydescriptor").createinstance()
$newsd.controlflags = $sd.controlflags

$ace = ([wmiclass]"win32_ace").createinstance()
$trustee = ([wmiclass]"win32_trustee").createinstance()
$account = new-object$domain, $username)
$sid = $account.translate([])

$trustee.domain = $domain
$ = $username
$trustee.sidstring = $sid.value
$ace.trustee = $trustee
$ace.accessmask = 131080 # print + read.

$sd.dacl | where-object { $ -ne 'everyone' } | %{
  $acex = $_
  $newsd.dacl += @($acex.psobject.baseobject)

$newsd.dacl += $ace