lpadmin Group for Printer Pane Access

You can verify the groups which are able to use sudo by running sudo cat /etc/sudoers and looking through there. For example, a portion of my sudoers file contains:

root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

That will allow the root account to use sudo (which makes sense), as well as anyone in the "admin" group. Since "lpadmin" is not listed, it gains no special privileges.

Perfect, I checked and my system did not have lpadmin in that file.

By dropping /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin into the script section in the JSS and pushing it out, I would accomplish the task at hand then correct?

@TylerC

yes sir. Use that command as part of my first boot script

Hi all, Still no luck. I tried with a test account who is in Domain Users and it did not give that account lpadmin permission.

@TylerC

This is what use. Check your syntax:
/usr/sbin/dseditgroup -o edit -n /Local/Default -a "mydoman hegroupineedtouse" -t group lpadmin. depedning on the version of JSS you may need to use graveticks(') instead of quotes(")

Larry

I tried the command: /usr/sbin/dseditgroup -o edit -n /Local/Default -a "exchangeDomain Users" -t group lpadmin

Still no results. No addition to group member ship. I am running 9.96.

That would not mess anything up with the local admin account correct?

No the local admin account is not changed in anyway. It basically adds any valid user on the system to the lpadmin group.

I attempted this via script and it does not appear to work as-well. The script completed but it did not give the account permission to access the printer pane. It still is requiring an admin account (and rejects this account).
I have verified that the user account is not in the lpadmin group.

@TylerC when you go to add a printer are you attempting to click the lock icon? If so the aforementioned script does not allow the user to unlock that lock. It does however make the () icon available to the user to add a printer. I've always thought it a bug that the lock remains locked, but the user can click the icon to add a printer. (It also would allow them to add a printer via lpadmin on the command line)

The account is not in the lpamdin group when I issue the dscl . -read /Groups/lpadmin GroupMembership

I did log into the account and it does appear that you are correct. I am able to pause and resume the print queues along with add printers.

What would be the reverse command to reset the lpadmin group back to the OSX default members?
i.e. take away the printing rights for standard users?

We ran this command.
dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

The reverse of the above command: swap everyone for admin
dseditgroup -o edit -n /Local/Default -a admin -t group lpadmin

From a security perspective, is there any issues with adding "everyone" to the lpadmin group? I wanted to deploy this in our environment but our Security team is pushing back because it's adding "everyone". They'd like to see this narrowed down to authenticated users but everything I'm reading on here seems to point to nothing else working except "everyone".

This worked for me as for as adding the domain user and "Domain User" group to lpadmin group
dscl . -append /Groups/admin GroupMembership 'DomainDomain user or group'. The issue is the plus sign is still greyed out and the user is not able to add a printer. but when I run "dscl . -read /Groups/lpadmin GroupMembership". the user and domain group is listed.