Print admin group membership for all

ScottyBeach
Contributor

Might overlap https://jamfnation.jamfsoftware.com/discussion.html?id=4701

In the past when we made monolithic images (before the enlightened days of Casper) I would install the OSX Server tools and then use it to add all domain users - an AD group - to the local printer admin group on a bound machine. Then I'd unbind, remove the Server Tools, do all the other prep and make an image of it all. When the image was applied and the target Mac rebound to AD the Print Admin group was happily respected and I'd never get calls about paused print queues. Yay! I win!
Ok, so now I want to push a configuration out via Casper. How do I emulate this process? I want to make an AD group a member of a local group during imaging or pushed out with Casper remote or Self Serve or maybe even good old' ARD.
Can I? Thanks for reading.
- Scott

1 ACCEPTED SOLUTION

CasperSally
Valued Contributor II

we run this as part of our post imaging script with no issue

#allow staff to add printers without being admin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

View solution in original post

21 REPLIES 21

mm2270
Legendary Contributor III

So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac.

I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-

sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin

may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.

CasperSally
Valued Contributor II

we run this as part of our post imaging script with no issue

#allow staff to add printers without being admin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

ScottyBeach
Contributor

So, mm2270, you're suggesting adding the group using the CLUI tool equivalent of the Workgroup Manager I was using. Much tidier. If it works then that's the ticket.

And CasperSally, you're simplifying it by using the same command but just adding everyone. I think then it would have to be set at every logon via a policy in case a new user is logging on.

If either of those works for me then that'll do nicely. I'll go try now. Thank yo both.
- Scott

CasperSally
Valued Contributor II

We only run it once as part of our post image script, every user who logs in after imaging can add printers.

mm2270
Legendary Contributor III

Yeah, if you're OK with just using the local groups on the Mac that all users are part of, regardless if their account comes from LDAP or is just a local account, then that will do it.
In your post, it sounded like you ware trying to add users that were part of specific LDAP groups into lpadmin. That's the part I wasn't sure about. I know dseditgroup can edit an LDAP group, but I've never used it to take an LDAP group and nest it within a local one.

I would use the command CasperSally suggested to start with. Only thing I'll say is, I don't think its strictly necessary to target the local node with the "-n /Local/Default" part. Dseditgroup will assume the local node unless you specify otherwise.

See Greg's short writeup on dseditgroup here:
http://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/

ScottyBeach
Contributor

Oh, Sally, the "everyone" you mentioned IS a group. So I only have to do this once! Very good. That's the ticket.

ScottyBeach
Contributor

mm2270: The AD group here called "All Domain Users" just sort of fit the bill but the local "everyone" will be fine as we now and then have a local account for freelancers etc. and this will allow them access too. Thanks again for your help and to the pointer to Greg's article.
- Scott

milesleacy
Valued Contributor

For what it's worth, the security-conscious may want to consider the fact that granting the ability to manage printers to a user means you are handing them root.

I wrote about this a few years ago under 10.5, and as of 10.7.4, it's still true.
http://themacadmin.com/?p=63

I hope having this info can help prevent folks from running afoul of their internal security teams.

ScottyBeach
Contributor

Miles:
I'm really just trying to cut down on the support calls from users who can't un-pause their print queues without authorization. Is there a way to just provide that?
Thanks,
- Scott

ScottyBeach
Contributor

Miles:
I'm really just trying to cut down on the support calls from users who can't un-pause their print queues without authorization. Is there a way to just provide that?
Thanks,
- Scott

jarednichols
Honored Contributor

Miles' article covers that.

ScottyBeach
Contributor

You're correct:

There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way.

Thanks.
- Scott

ktappe
New Contributor III

(I had posted that this command was not working for me. However, I forgot that the lock icon remains in the Print dialog even though the user is able to click the "+" to add a printer.)

Dear Apple: Can you please fix the Print & Scan dialog box so that the lock icon is either not there or shows unlocked when the user has rights to add a printer? Thanks.

tomt
Valued Contributor

I use that same command and what it does is allow a non-admin user to add/remove a printer just by clicking the plus/minus sign. They can also resume a paused print que.

That user still will not be able to install print drivers or unlock the preference pane. The reason for that, I believe, is that those things require the user to be in the admin group vs lpadmin.

obi-k
Valued Contributor II

If you want to reverse it, or undo it, what would you put in place for "everyone" so that admins can't print again?

/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

Thanks in advance...

donmontalvo
Esteemed Contributor II

@mm2270 wrote:

So, if I'm following correctly, it sounds like you'll want to build a script to run on each Mac that uses 'dseditgroup' to add your AD group as a nested group into "lpadmin" which is the group that has control over local printers on the Mac. I haven't ever used dseditgroup to add an AD group as a nested group before, but the general syntax of-
sudo /usr/sbin/dseditgroup -o edit -a GroupName -t group lpadmin
may do it. Again, I'm not exactly sure how that's done when targeting an AD group though, or if dseditgroup only works on local groups. I'm not really clear on that, so perhaps someone has done this and has some advice. Or maybe it needs to be done with dscl in this case.

This seems to work for adding Domain Users to the _lpadmin group:

/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group _lpadmin

Confirm:

dscl . -read /Groups/_lpadmin NestedGroups
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C DA3FF227-1B7E-4766-A10E-B9C04DD5518B 6894E51E-64E3-453C-8CB4-8ACF57F6DC1F
--
https://donmontalvo.com

sepiemoini
Contributor III
Contributor III

I agree with both @mm2270 and @CasperSally! Here's what I've been using in one of my production JSS instances.

#!/bin/bash

# Allow staff to add printers and manage print queue without administrative rights
/usr/sbin/dseditgroup -o edit -a everyone -t group lpadmin

# Determines local, logged in user
loggedInUser=$(stat -f%Su /dev/console)

# Determines if local, logged in user is a member of "lpadmin."
var1=$(dseditgroup -o checkmember -m $loggedInUser -n . lpadmin)

# Will write out a message specifying if the current user is and if the current user is a member of the lpadmin group on the local node.
echo "$loggedInUser is currently logged in and $var1."

exit 0

apizz
Valued Contributor

@donmontalvo I see your NestedGroups confirm, but how do you turn those Group IDs into the actual name of the group?

At the moment I'm verifying that the necessary groups have been added to the lpadmin group by using dseditgroup and using known member of each group we add to lpadmin.

ahmaduhhs
New Contributor II

@CasperSally Thank you, seesm like an easy fix going forward, this will also allow the users to un-pause?
Can i also run it for existing users using ARD?
@ScottyBeach

PhilS
New Contributor III

Is @CasperSally's command still good in Big Sur / Monterey? We're wanting to remove admin rights but will need to keep the ability to add printers.

micmil
New Contributor II

This does appear to still work under Monterey. A good thing too; ever since updating most of our fleet we've been getting these annoying "printtool" popups asking for a "print administrator" password. Running this command stops the popups. About the only undesirable side effect is standard users can add/remove printers but I think that's a minor issue in our environment (and might actually be a bonus for some admins).