- Jamf Nation Community
- Products
- Jamf Pro
- Re: LP Admin Group
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LP Admin Group
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 05:52 AM
If you don't use OD in your environment.. is there a way to put people
in the lpadmin group via the client level?
Has anyone tried managed preferences, parental controls for printers?
Everything the list has sent me on this doesn't work when I test it..
I even tried the MCX setting in the JSS for Allow non admin printers,
and it doesn't work.
Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 12:41 AM
Kathie,
I posted an article to my blog recently on printing security configuration. I think it may be of some use to you. You may be able to package up a single file or use a defaults or PlistBuddy script to achieve your goals.
Have a look at:
http://themacadmin.com/2009/08/12/printing-for-non-admins-in-leopard/
And now for the disclaimer: Anything you find on my blog is written from my personal experiences as a Mac sysadmin and is not endorsed, supported, provided by or connected to JAMF Software in any way. Follow good testing and QA procedures if you choose to use anything you find there.
I hope this is helpful.
Thanks,
--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321
miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 06:03 AM
Kathie, this may be simple, but do you have "Apply Computer Level Enforced Managed Preferences" checked in your JSS > Management tab > Management Framework Settings?
I haven't played with MCX because I found a bug that if that check box is enabled, it seems that if the JSS is not responding for some reason then clients will fail to log in because the jamf binary will be endlessly looking for the server. This poses a problem for us since we do have mobile users who may not always be able to see the jss.
One thing you could do (which works for us and gets around this problem) is create a login policy set to ongoing and enabled offline (so it will just cache it) with a script that just adds the currently logging in user to the lpadmin group.
Hope it helps.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 06:07 AM
Ryan,
I do have that checked. We had some issues in 7.0 but since the
upgrade to 7.01 the issues are resolved and we are using MCX
settings. Would you share how you did that policy, that would work
for us.
Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 06:20 AM
For the script, it is just a one liner, unless you want to add error checking which is always good. I like to make sure users are network users by ensuring their uid is > 100000.
#!/bin/bash
dscl . -append /Groups/_lpadmin GroupMembership <path to users>/$3
For the path to users, in our active directory environment it is "/Active Directory/All Domains/Users/". It may be different for you, you'll just have to hop into dscl (by just entering the dscl command with no arguments) and ls and cd your way around to find out what it is.
Then I just created a policy set to be available offline, at login, that runs that script.
Note that this script is untested. We do similar things, but not this exact operation, so make sure you test this in your test environment before deploying it.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 07:51 AM
Ryan,
We just tested this changing the script for our environment.. and it
appears to go through, but when I try add or pause/resume.. it prompts
me for the user name and password for an admin user.
Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 02:23 PM
Miles, Good article. Does this apply differently to network users that are
using mobile accounts? Is there any way to have CUPS look authenticate from
an OD group, or is that even necessary? The problem I've seen with the
security is users cannot even pause or un-pause a printer, nor can they
delete jobs from the queue. Otherwise I could care less if my users can add
printers or not. Any thoughts?
--
Alan Benedict
?
Macintosh Technician
The Integer Group
O: 515-247-2738
C: 515-770-8234
http://www.integer.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2009 03:03 PM
Alan,
Thanks, I'm glad it can be of some help.
I'm sure this is just one of many ways to get it done, but here's what I'd do based on your description.
- create a local group called "mycups" (or whatever makes sense to you).
- create a CUPS policy (or modify one of the default ones) to grant the mycups group the rights you need them to have.
- use dscl as Ryan described earlier to add users to the group above ( dscl . -append /Groups/mycups GroupMembership <path to users>/$3).
Mobile and network accounts can belong to local groups, so you should be able to manage those users using the same method, just be sure to properly reference the path to the user(s) in your dscl command.
The default private/etc/cups/cupsd.conf file contains policies that govern the processes you mention.
Pause-Printer and Resume-Printer are part of the third to last policy in the default cupsd.conf file (begins with "# All printer operations require a printer operator to authenticate...").
Cancel-Job is part of the second to last policy in the default cupsd.conf file (begins with "# Only the owner or an administrator can cancel or authenticate a job...").
I hope this is helpful.
Thanks,
--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321
miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2009 04:02 AM
The lpadmin group works fine my users to stop delete and resume ques
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2009 06:57 AM
Right, mine works as well when my users are in the lpadmin group. My
problem is if I don't want my users to be able to add or delete printers
then they also lose the pause, delete and resume functionality as well.
--
Alan Benedict
?
Macintosh Technician
The Integer Group
O: 515-247-2738
C: 515-770-8234
http://www.integer.com
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-20-2009 10:28 AM
I'm really not sure why, but I have still been having a heck of a time getting this lpadmin group to actually work. I've tried the couple of scripts (distributed via policy) that have been shared with the listserv. Also I've tried the MCX management. Still not sure what is going wrong! I'm on 10.5.8 and I thought that was resolved with that update? Anyhow, in my environment I have network users who are given admin rights to their local machines via the management console in AD. When they login to their Mac, and go to Accounts, you see "username: Admin, Network" So, maybe that was why I was having some issues with the lpadmin group?
Anyhow, either way, here's how I fixed it:
Booted up into Single User Mode.
mount -uw /
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist &
dseditgroup -o edit -p -a admin -t group _lpadmin
reboot
works great.
not sure why the other solutions weren't working for me. If anyone has any ideas, let me know. Either way, maybe this will help someone.
-
lauren
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2009 12:20 AM
We just experienced this issue first hand. Our scenario is a bit
different...
When imaging machines, we use Casper Imaging 7.1 to create user accounts.
These users are simple local admins. We do not use any form of AD to
administer the accounts.
We have been able to verify using dscl, that users created using Casper
Imaging 7.1 are NOT included in the lpadmin group, however they are included
in the admin group.
Local admin accounts created using the System Preferences/Accounts are added
to all appropriate groups.
Currently, we have about 50 machines in the field with users that cannot add
printers. Company policy is to allow our users to do this. In order to
solve the current issue, would it be best to send out the following
command/script;
dscl . -append /Groups/_lpadmin GroupMembership <path to users>/$3
More of a question however, is why is this happening to begin with?
--
Tim S. Nicometo
Media Engineer
Media Support Services
Phone: 507 284-0741
E-mail: timn at mayo.edu
Mayo Clinic
200 First Street SW
Rochester, MN 55905
www.mayoclinic.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-21-2009 01:59 PM
I have seen this happen as well. I just installed Casper Suite a couple of
weeks ago. I create my base image in InstaDMG with no user accounts.
Casper Imaging handles the creation of the local admin account, but it does
not add to _lpadmin group. However I'm using the script from the Resource
Kit that adds the staff group into _lpadmin. This seems to work pretty
well.
