1

I'm working on a script to set the different printer settings (share, publish, duplex, etc...) with PowerShell. In my environment, I have a different account for server access versus my workstation. So I'm trying to pass those elevated permissions to the server to create the printer and select all the different options, as well as set the permissions.

Using Credential Manager, and creating a new CimSession in the call to create the printer, it works without fail from my workstation. But when it comes to setting the printer options it's not passing the server, or printer, name to the call.

So, here are the calls that create the new printer port and printer:

Add-PrinterPort -Name $IP -ComputerName $Server -PrinterHostAddress $IP -CimSession $Remote -ErrorAction SilentlyContinue

Add-Printer -ComputerName $Server -Name $Printer -PortName $IP -Driver $Driver -Location $Loc -Comment $Comment -CimSession $Remote

That all works as expected. Here is what I'm using to set the options (which fails because access is denied):

Set-Printer -ComputerName "$Server" "$Printer" -Shared:$true -ShareName "$Printer" -Published:$true -PermissionSDDL 'G:SYD:(A;;SWRC;;;AC)(A;OIIO;RPWPSDRCWDWO;;;AC)(A;;SWRC;;;S-1-15-3-1024-155201139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000218)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-150205139-2658482041-3872973164-329287231-3865880861-1938685643-461067658-1087000218)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1425521274-6549912557-618529)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1276648271-1425521274-6549912557-618529)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1422146274-6549912557-485967)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1194558071-1425521274-6549912557-485967)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)'

Since there isn't a way to specify credentials in the Set-Printer command, I started using Invoke-Command. FYI, I really don't understand the details of the Invoke-Command, which is likely my trouble. As in:

$Para = @{
    ComputerName = $Server
    ScriptBlock = {
        Set-Printer -ComputerName $Args[1] $Args[0] $Args[2] $Args[3] $Args[4] -PermissionSDDL 'G:SYD:(A;;SWRC;;;AC)(A;OIIO;RPWPSDRCWDWO;;;AC)(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-348522)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-348522)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-285055)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-285055)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)'
        }#End ScriptBlock
    ArgumentList = "$Printer", "$Server", "-Shared:$true", "-ShareName $Printer", "-Published:$true"
}
Invoke-Command @Para

This fails miserably.

Can someone help point me in the right direction on this?

Maximilian Burszley
  • 18,243
  • 4
  • 34
  • 63
Dalebert
  • 35
  • 4
  • You should not do a computer call within `Invoke-Command`, so don't set `ComputerName` parameter for the `Set-Printer` cmdlet since you are already on this computer with `Invoke-Command`. Don't forget the double hop restriction. – CFou May 25 '21 at 14:01
  • And why are you using both `ComputerName` and `CimSession` parameter (which you do not use for the `Set-Printer` command). `CimSession` only should work without using `Invoke-Command`. – CFou May 25 '21 at 14:08

1 Answers1

1

I think your problem is how you're setting up the remote call. These are still cmdlets and how you're passing the arguments doesn't make any sense. I think this is what you're trying to accomplish:

$icParms = @{
    ComputerName = $Server
    ScriptBlock  = {
        $spParms = @{
            Name           = $using:Printer
            ComputerName   = $using:Server
            Shared         = $true
            ShareName      = $using:Printer
            Published      = $true
            PermissionSDDL = 'G:SYD:(A;;SWRC;;;AC)(A;OIIO;RPWPSDRCWDWO;;;AC)(A;;SWRC;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;OIIO;RPWPSDRCWDWO;;;S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-348522)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-348522)(A;;LCSWSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-285055)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-1275210071-1425521274-1177238915-285055)(A;OIIO;GA;;;CO)(A;;SWRC;;;WD)(A;CIIO;GX;;;WD)(A;;LCSWSDRCWDWO;;;BA)(A;OICIIO;GA;;;BA)'
        }
        Set-Printer @spParms
    }
}
Invoke-Command @icParms

See the about_Remote_Variables topic.

Maximilian Burszley
  • 18,243
  • 4
  • 34
  • 63
  • Sorry for the late reply, I was off for a couple days. This is an academic exercise for me (since I am absolutely clueless on this topic) as well as something to be used in business. So, what you're saying, Maximilian, is you are creating a nested parameter set (spParms) which contains the info to pass to the print server, while the icParms are creating the connection to the print server itself. Correct? – Dalebert May 28 '21 at 18:31