OS X 10.8 - Non-Admins Add and Remove Printers

We use the following to add all of our domain users to the lpadmin group.

/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin

Nick and Freddie, great suggestions... thank you!

I've got a login script to add the current user into the lpadmin group that should work for most users. However, we have about forty workstations that are used by contract staff during the Summer and they occasionally move from one workstation to another. Since our Macs are bound to the domain and users login with their AD credentials, I'll test adding one of our domain groups to the lpadmin group.

Thanks again!

I do this, http://macmule.com/2011/07/27/how-to-allow-all-users-to-add-or-remove-printers/ works for all users incl. domain users.

I wrote this script to create non-admin "Power Users". It is based data from the macmule article.
It can be used to allow non-admin users to setup printers.
https://jamfnation.jamfsoftware.com/discussion.html?id=5666

Awesome Eric. Always good to see my little site being helpful.

Sorry I missed your original post to comment on that too.

Lots of great suggestions, what if we want all Local Domain user accounts (including cached domain [mobile] accounts) to be able to add/delete printers, looks like the best option for us:

sudo dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

Copy/pasted from @bentoms' excellent site:

http://macmule.com/2011/07/27/how-to-allow-all-users-to-add-or-remove-printers/

Don

...wow, @freddie.cox's solution is the one we're going with now, replacing "everyone" with the domain group name.

Thanks!
Don

I have followed Freddie's and Ben's ideas but when our users try to install a local printer that needs additional drivers (according to apple's Print & Scan utility) they need an admin username and password to download and install drivers anyway to get around this?

That's a different issue...use Self Service to enable users to install drivers.

That's what I was figuring, but thought to get advice from the masses.

If the driver updates are from Apple, there is a way to enable non-admins to install updates from ASUS.

I think it's an edit to /etc/authorization

If the driver updates are from Apple, there is a way to enable non-admins to install updates from ASUS.

I think it's an edit to /etc/authorization

Might also consider a Self Service item to be available for folks, where the package can be set to "Install only if Software Update reports the pacakge is available". :)

/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin

Will this allow domain users to resume their own CUPS queues when they randomly go into 'pause', without the need for the local admin password?

@misterfriendly There is a script you could run to change the error policy on your installed printers to abort or retry job instead of stop-job. Mine looks like this:

#!/bin/bash

# sets cups to retry-job instead of default stop-job # for all currently installed printers

while read printer; do lpadmin -p $printer -o printer-error-policy=retry-job
done < <(lpstat -p |awk '{print $2}')

@misterfriendly If the machines are on OS X 10.8 or 10.9, just run this command once and you are done.

/usr/bin/security authorizationdb write system.print.operator allow

I see so many references to people using lpadmin with the JSS to add/remove printers. We attempted to deploy Papercut last spring at our school and have been halted for over half a year while trying to devise a plan to add/remove queues with the JSS that uses Kerberos authentication. The easiest way seems to be using lpadmin to add the queues with the Operation Policy Authenticated (-o printer-op-policy=Authenticated) and tell the CUPS server to authenticate to our Windows print queues with Kerberos using "cupsctl DefaultAuthType=Negotiate". I can make it work when entering the commands through Terminal as root on each machine individually, but for the life of me, I can't get the commands to run without needing to pass the root password with the JSS. It's not consistent, but I almost always get "Unauthorized" when running cupsctl or lpadmin through the JSS. Can anyone please explain how you're running lpadmin commands through the JSS?