en-US/about_cPrinter_ACL.help.txt
|
TOPIC
about_cPrinter_ACL DESCRIPTION The cPrinter DSC resource enables to set a custom DACL (Discretionary Access Control List) on the configured printer. The other parts of the security descriptor are left unchanged. PASS CUSTOM DACL If you want to set a custom DACL on the printer then you have to provide a list of ACEs (Access Control Entries) in the JSON format through the $DaclInJSONFormat property. See the following example of configuration: $dacl = @' [ { PrincipalName: "Everyone", AccessType: "allow", AccessPermissions: "Print" }, { PrincipalName: "Print Operators", AccessType: "allow", AceFlags: "OIIO", AccessPermissions: "Manage Documents" } ] '@ Configuration cPrinterTest { Import-DSCResource -Module PrintHA.DSC cPrinter XPS001 { Ensure = 'Present' Name = 'XPS001' IPAddress = '127.0.0.1' DriverName = 'Microsoft XPS Class Driver' FarmName = 'FARM001' DaclInJSONFormat = $dacl } } cPrinterTest Start-DscConfiguration -Wait -Force cPrinterTest -Verbose JSON FORMAT OF DACL The input JSON string should contain a list of access control entries (ACEs). In general, an ACE contains the following information: 1. Security Principal You can provide either a unique name of the principal in a human readable format, such as UPN or SAM Account Name, as the value of PrincipalName or the principal's SID through the SecurityIdentifier. 2. Type of Access Pass ['Allow'|'Deny'] as the value of AccessType. 3. Access Permissions Specify assigned permissions as the value of AccessPermissions. You can enter either one of the predefined permissions sets ['Manage Printer'|'Manage Documents'|'Print'] or pass rights in the SDDL format (see rights field in https://msdn.microsoft.com/en-us/library/aa374928(v=vs.85).aspx) 4. ACE Flags (OPTIONAL) Specify so called inheritance and propagation flags in the SDDL format in the AceFlags key. See ace_flags in https://msdn.microsoft.com/en-us/library/aa374928(v=vs.85).aspx for more details. It means you can define the same DACL by using different JSON keys with different syntax. See the following example showing two different definitions of the same DACL. Sample #1: [ { PrincipalName: "Everyone", AccessType: "allow", AccessPermissions: "Print" }, { PrincipalName: "Print Operators", AccessType: "allow", AceFlags: "OIIO", AccessPermissions: "Manage Documents" } ] Sample #2: [ { SecurityIdentifier: "S-1-1-0", AccessType: "allow", AccessPermissions: "SWRC" }, { SecurityIdentifier: "S-1-5-32-550", AccessType: "allow", AceFlags: "OIIO", AccessPermissions: "RPWPSDRCWDWO" } ] DEFAULT ADMIN PERMISSIONS To prevent from situations when the administrator unintentionally looses access to a provisioned printer by providing a wrong or incomplete custom DACL, cPrinter appends the following access control entries (ACEs) by default: [Allow,Manage Printer,Built-in Administrators] = (A;;LCSWSDRCWDWO;;;BA) [Allow,Manage Printer,Local Administrator] = (A;;LCSWSDRCWDWO;;;LA) [Allow,Manage Printer,SYSTEM] = (A;;LCSWSDRCWDWO;;;SY) The default ACE is not added when the supplied DACL contains a custom entry for that security principal. The custom definition overrides the default ACE in such a case. If you do not want add default ACEs, set the $noDefaultAdminPermissions property to $true. |