Might overlap https://jamfnation.jamfsoftware.com/discussion.html?id=4701
In the past when we made monolithic images (before the enlightened days of Casper) I would install the OSX Server tools and then use it to add all domain users - an AD group - to the local printer admin group on a bound machine. Then I'd unbind, remove the Server Tools, do all the other prep and make an image of it all. When the image was applied and the target Mac rebound to AD the Print Admin group was happily respected and I'd never get calls about paused print queues. Yay! I win!
Ok, so now I want to push a configuration out via Casper. How do I emulate this process? I want to make an AD group a member of a local group during imaging or pushed out with Casper remote or Self Serve or maybe even good old' ARD.
Can I? Thanks for reading.
Solved! Go to Solution.
So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac.
I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-
sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin
may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.
So, mm2270, you're suggesting adding the group using the CLUI tool equivalent of the Workgroup Manager I was using. Much tidier. If it works then that's the ticket.
And CasperSally, you're simplifying it by using the same command but just adding everyone. I think then it would have to be set at every logon via a policy in case a new user is logging on.
If either of those works for me then that'll do nicely. I'll go try now. Thank yo both.
Yeah, if you're OK with just using the local groups on the Mac that all users are part of, regardless if their account comes from LDAP or is just a local account, then that will do it.
In your post, it sounded like you ware trying to add users that were part of specific LDAP groups into lpadmin. That's the part I wasn't sure about. I know dseditgroup can edit an LDAP group, but I've never used it to take an LDAP group and nest it within a local one.
I would use the command CasperSally suggested to start with. Only thing I'll say is, I don't think its strictly necessary to target the local node with the "-n /Local/Default" part. Dseditgroup will assume the local node unless you specify otherwise.
See Greg's short writeup on dseditgroup here:
The AD group here called "All Domain Users" just sort of fit the bill but the local "everyone" will be fine as we now and then have a local account for freelancers etc. and this will allow them access too. Thanks again for your help and to the pointer to Greg's article.
For what it's worth, the security-conscious may want to consider the fact that granting the ability to manage printers to a user means you are handing them root.
I wrote about this a few years ago under 10.5, and as of 10.7.4, it's still true.
I hope having this info can help prevent folks from running afoul of their internal security teams.
There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way.
(I had posted that this command was not working for me. However, I forgot that the lock icon remains in the Print dialog even though the user is able to click the "+" to add a printer.)
Dear Apple: Can you please fix the Print & Scan dialog box so that the lock icon is either not there or shows unlocked when the user has rights to add a printer? Thanks.
I use that same command and what it does is allow a non-admin user to add/remove a printer just by clicking the plus/minus sign. They can also resume a paused print que.
That user still will not be able to install print drivers or unlock the preference pane. The reason for that, I believe, is that those things require the user to be in the admin group vs lpadmin.
If you want to reverse it, or undo it, what would you put in place for "everyone" so that admins can't print again?
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
Thanks in advance...
So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac. I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.
sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin
This seems to work for adding Domain Users to the _lpadmin group:
/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group _lpadmin
dscl . -read /Groups/_lpadmin NestedGroups NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C DA3FF227-1B7E-4766-A10E-B9C04DD5518B 6894E51E-64E3-453C-8CB4-8ACF57F6DC1F
#!/bin/bash # Allow staff to add printers and manage print queue without administrative rights /usr/sbin/dseditgroup -o edit -a everyone -t group lpadmin # Determines local, logged in user loggedInUser=$(stat -f%Su /dev/console) # Determines if local, logged in user is a member of "lpadmin." var1=$(dseditgroup -o checkmember -m $loggedInUser -n . lpadmin) # Will write out a message specifying if the current user is and if the current user is a member of the lpadmin group on the local node. echo "$loggedInUser is currently logged in and $var1." exit 0
This does appear to still work under Monterey. A good thing too; ever since updating most of our fleet we've been getting these annoying "printtool" popups asking for a "print administrator" password. Running this command stops the popups. About the only undesirable side effect is standard users can add/remove printers but I think that's a minor issue in our environment (and might actually be a bonus for some admins).