Print admin group membership for all

So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac.

I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-

sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin

may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.

So, mm2270, you're suggesting adding the group using the CLUI tool equivalent of the Workgroup Manager I was using. Much tidier. If it works then that's the ticket.

And CasperSally, you're simplifying it by using the same command but just adding everyone. I think then it would have to be set at every logon via a policy in case a new user is logging on.

If either of those works for me then that'll do nicely. I'll go try now. Thank yo both.
- Scott

We only run it once as part of our post image script, every user who logs in after imaging can add printers.

Yeah, if you're OK with just using the local groups on the Mac that all users are part of, regardless if their account comes from LDAP or is just a local account, then that will do it.
In your post, it sounded like you ware trying to add users that were part of specific LDAP groups into lpadmin. That's the part I wasn't sure about. I know dseditgroup can edit an LDAP group, but I've never used it to take an LDAP group and nest it within a local one.

I would use the command CasperSally suggested to start with. Only thing I'll say is, I don't think its strictly necessary to target the local node with the "-n /Local/Default" part. Dseditgroup will assume the local node unless you specify otherwise.

See Greg's short writeup on dseditgroup here:
http://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/

Oh, Sally, the "everyone" you mentioned IS a group. So I only have to do this once! Very good. That's the ticket.

mm2270: The AD group here called "All Domain Users" just sort of fit the bill but the local "everyone" will be fine as we now and then have a local account for freelancers etc. and this will allow them access too. Thanks again for your help and to the pointer to Greg's article.
- Scott

For what it's worth, the security-conscious may want to consider the fact that granting the ability to manage printers to a user means you are handing them root.

I wrote about this a few years ago under 10.5, and as of 10.7.4, it's still true.
http://themacadmin.com/?p=63

I hope having this info can help prevent folks from running afoul of their internal security teams.

Miles:
I'm really just trying to cut down on the support calls from users who can't un-pause their print queues without authorization. Is there a way to just provide that?
Thanks,
- Scott

Miles:
I'm really just trying to cut down on the support calls from users who can't un-pause their print queues without authorization. Is there a way to just provide that?
Thanks,
- Scott

Miles' article covers that.

You're correct:

There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way.

Thanks.
- Scott

(I had posted that this command was not working for me. However, I forgot that the lock icon remains in the Print dialog even though the user is able to click the "+" to add a printer.)

Dear Apple: Can you please fix the Print & Scan dialog box so that the lock icon is either not there or shows unlocked when the user has rights to add a printer? Thanks.

I use that same command and what it does is allow a non-admin user to add/remove a printer just by clicking the plus/minus sign. They can also resume a paused print que.

That user still will not be able to install print drivers or unlock the preference pane. The reason for that, I believe, is that those things require the user to be in the admin group vs lpadmin.

If you want to reverse it, or undo it, what would you put in place for "everyone" so that admins can't print again?

/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

Thanks in advance...

@mm2270 wrote:

So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac. I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-

sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin

may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.

This seems to work for adding Domain Users to the _lpadmin group:

/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group _lpadmin

Confirm:

dscl . -read /Groups/_lpadmin NestedGroups
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C DA3FF227-1B7E-4766-A10E-B9C04DD5518B 6894E51E-64E3-453C-8CB4-8ACF57F6DC1F

I agree with both @mm2270 and @CasperSally! Here's what I've been using in one of my production JSS instances.

#!/bin/bash

# Allow staff to add printers and manage print queue without administrative rights
/usr/sbin/dseditgroup -o edit -a everyone -t group lpadmin

# Determines local, logged in user
loggedInUser=$(stat -f%Su /dev/console)

# Determines if local, logged in user is a member of "lpadmin."
var1=$(dseditgroup -o checkmember -m $loggedInUser -n . lpadmin)

# Will write out a message specifying if the current user is and if the current user is a member of the lpadmin group on the local node.
echo "$loggedInUser is currently logged in and $var1."

exit 0

@donmontalvo I see your NestedGroups confirm, but how do you turn those Group IDs into the actual name of the group?

At the moment I'm verifying that the necessary groups have been added to the lpadmin group by using dseditgroup and using known member of each group we add to lpadmin.

@CasperSally Thank you, seesm like an easy fix going forward, this will also allow the users to un-pause?
Can i also run it for existing users using ARD?
@ScottyBeach

Is @CasperSally's command still good in Big Sur / Monterey? We're wanting to remove admin rights but will need to keep the ability to add printers.

This does appear to still work under Monterey. A good thing too; ever since updating most of our fleet we've been getting these annoying "printtool" popups asking for a "print administrator" password. Running this command stops the popups. About the only undesirable side effect is standard users can add/remove printers but I think that's a minor issue in our environment (and might actually be a bonus for some admins).