Getting all security groups on printers in domain

Question

_{Tuesday, May 2, 2017 11:29 AM}

Hi all,

I have a bit of an issue here. We have in our company many printservers around the continent, with different printers on each location.

I need to see who can access what printers, what printers have the Security set to AD groups and what printers have Everyone.

Now, i was able to extract from AD a list of all Printers that also have the UNC patch and the server attributed to, but i can't seem to also extract who can access each printer via Powershell.

Basically, i want an idea for a script that will extract Name of Printer, and everything under the Security Tab of each printer.

Ex: 

Printer1.contoso.com               Everyone

Printer2.contoso.com               ADGroupforPrinters02

Printer3.contoso.com               User01

Printer4.contoso.com               Everyone

................

Any thoughts?

Thank you in advance.

All replies (4)

_{Wednesday, May 3, 2017 3:35 PM ✅Answered}

From Windows 8 and greater you can pull the security for any printer from Server 2003 and above remotely.  Locally from Win8 Server 2012.

I discuss changing the setting in bulk in this blog.

https://blogs.technet.microsoft.com/heyscriptingguy/2014/08/10/weekend-scripter-add-security-groups-to-print-servers-by-using-powershell/

It's not pretty format but you can determine the Everyone group and make out some user groups from the PermissionSDDL 

Name                         : BW
ComputerName                 : printclust1
Type                         : Local
ShareName                    : BW
PortName                     : 1.2.3.4
DriverName                   :  Global PostScript
Location                     :
Comment                      :
SeparatorPageFile            :
PrintProcessor               : winprint
Datatype                     : RAW
Shared                       : True
Published                    : True
PermissionSDDL               : G:SYD:(A;;LCSWSDRCWDWO;;;S-1-5-21-210633846-541654686-4187094980-1106)(A;OIIO;RPWPSDRCWD
                               WO;;;S-1-5-21-210633846-541654686-4187094980-1106)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;
                               GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)
RenderingMode                : CSR

Alan Morris formerly with Windows Printing Team

_{Wednesday, May 3, 2017 2:34 AM}

Hi,
As far as I know, there is no built-in methods to get such information, and as you said, maybe, script is the better choice, but in order to write the specific script, it is needed to involve scripting resource or contact a scripting consultant. 
Best regards, 
Wendy

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]. 

_{Thursday, May 4, 2017 6:53 AM}

Thanks, this does help, but is there a way to convert the output into readable content? I mean instead of that SDDL string to show names.

I looked into SDDL parse tools, but they do it 1 at a time, and obviously for a big enterprise that is not viable, i would need a way to mass convert the output.

_{Thursday, May 4, 2017 9:34 AM}

Hi George,

my feeling that SDDL strings are not useful for your task because (at least at my tests) they are not showing SID's for generic groups (like 'Everyone', 'CREATOR OWNER', etc.)  though it will be a challenge to parse it properly.

Here is my suggested w2k12 ps script to achieve your goal below (sorry for 'quick and dirty' code though :) )

It should output comma separated groups for each printer at target server.

$Computer = "print_server_name_here"
foreach ($Printer in gwmi Win32_Printer -ComputerName $Computer) 
{
     $groups = (Foreach-Object {$Printer.GetSecurityDescriptor().Descriptor.DACL.trustee.Name} | Select-Object -unique | Sort-Object -Descending) -join ";"
     $Printer.SystemName + "\" + $Printer.Name + ";" +  $groups | Out-File "c:\temp\printers_acl.csv" -append
}

Kind regards,

Sergey.