windows 2008 R2 TS printer security - can't take owership
- by Ian
I have a Windows 2008 R2 server with Terminal server role installed. I'm seeing a problem with an ordinary user who is member of local printer operators group on the server.
If the user opens a cmd window using ‘run as administrator’ they can run printmanager.msc without needing to enter their password again. In printmanager they can change the ownership of redirected (easy print) printers without problems.
If, from the same cmd window, they use subinacl to try and change the onwership of the queue to themselves they get access denied:
>subinacl.exe /printer "_#MyPrinter (2 redirected)" /setowner="MyDom\MyUsr"
Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 1, Syntax errors 0
Last Done : _#MyPrinter (2 redirected)
Last Failed: _#MyPrinter (2 redirected) - OpenPrinter Error : 5 Access denied
so, same context, same action but one works and one doesn't. Any ideas for this odd behaviour?
I'm using subinacl x86 on an x64 server as I can't find anything more up to date. I've tried with icacls and others but couldn't get them to do anything with printers.
EDIT: added after Gregs comments regarding setacl below
If I log into the TS server as Testusr and open Admin Tools Printer Admin (as administrator) and then type mydomain\testusr and the testusr's password, then I can change the ownership of the printer queue and set testusr as the owner.
However if I open cmd as administrator and, again, type mydomain\testusr and the users password when I try to change the ownership of my redirected printer I get the following:
C:\>setacl -on "Bullzip PDF Printer (12 redireccionado)" -ot prn -actn setowner -ownr n:mydom\testusr
WARNING: Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted.
WARNING: Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted.
INFORMATION: Processing ACL of: <Bullzip PDF Printer (12 redireccionado)>
ERROR: Enabling the privilege SeTakeOwnershipPrivilege failed with: No todos los privilegios o grupos a los que se hace referencia son asignados al llamador.
[meaning not all referenced privs or groups are assigned to the caller]
SetACL finished with error(s):
SetACL error message: A privilege could not be enabled
maybe I'm getting something wrong but if the built in windows tool can do it with just membership of the 'print operators' group then setacl should be able to as well, no?
However setacl seems to depend on other privileges, which in reality are not required to do this.
