We are looking to allow our users access to the print options on the mac with out full admin credentials. I was going to throw this:
/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin
into the jss scripts but I saw a post that lpadmin also gives users root. I want to make sure that adding users to lpadmin will only allow print administrative changes and nothing else.
Throwing that into the scripts and pushing it out should accomplish our task though correct?
Solved! Go to Solution.
You can verify the groups which are able to use sudo by running
sudo cat /etc/sudoers and looking through there. For example, a portion of my sudoers file contains:
root ALL=(ALL) ALL %admin ALL=(ALL) ALL
That will allow the root account to use sudo (which makes sense), as well as anyone in the "admin" group. Since "lpadmin" is not listed, it gains no special privileges.
Perfect, I checked and my system did not have lpadmin in that file.
By dropping /usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin into the script section in the JSS and pushing it out, I would accomplish the task at hand then correct?
I attempted this via script and it does not appear to work as-well. The script completed but it did not give the account permission to access the printer pane. It still is requiring an admin account (and rejects this account).
I have verified that the user account is not in the lpadmin group.
The account is not in the lpamdin group when I issue the dscl . -read /Groups/lpadmin GroupMembership
I did log into the account and it does appear that you are correct. I am able to pause and resume the print queues along with add printers.
What would be the reverse command to reset the lpadmin group back to the OSX default members?
i.e. take away the printing rights for standard users?
We ran this command.
dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
The reverse of the above command: swap everyone for admin
dseditgroup -o edit -n /Local/Default -a admin -t group lpadmin
From a security perspective, is there any issues with adding "everyone" to the lpadmin group? I wanted to deploy this in our environment but our Security team is pushing back because it's adding "everyone". They'd like to see this narrowed down to authenticated users but everything I'm reading on here seems to point to nothing else working except "everyone".
This worked for me as for as adding the domain user and "Domain User" group to lpadmin group
dscl . -append /Groups/admin GroupMembership 'DomainDomain user or group'. The issue is the plus sign is still greyed out and the user is not able to add a printer. but when I run "dscl . -read /Groups/lpadmin GroupMembership". the user and domain group is listed.