prey Posted September 2, 2005 Posted September 2, 2005 Hello FolksThought I wanted to share this with you, in case you like me did not know os this little tool; called SubInAcl from MS Windows Resource Kit.It was recommended to me by Martin Zugec in an earlier post of mine, and I didn’t take much notice of it, until yesterday, where I really needed to give our "normal" users some special privileges...OK - the situation is like this:Students can log on to all classroom PC's with their own domain account, this amongst other thing allow them to print on the network printer in the classroom.BUT; they can also log on with a local machine account just called STUDENT. This permits them to browse internet etc. but NO PRINTING ( we are using quotas )But sometimes they try it anyway, resulting in print job getting cued up on the local machine ( they never reach the print server ). This completely blocks printing for the next user on that machine, and since no users have Administrative privileges, they cannot empty the cue themselves. This generates a lot of helpdesk calls FIRST OF ALL I need to give the STUDENT account access to control the "SPOOLER" service.THEN I needed to give the STUTENT access to the %SYSTEMDRIVE%\Windows\System32\Spool\PRINTERS catalog, and allow them to delete its contents.FINALLY I don’t expect my users to just do these operations on their own, so there would have to be an icon on the desktop, that would do it for them.TWO STEPS:1. Do this as the administratorSPOOL_SPASSER.CMD@echo offFOR %%i IN (D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %%i:\BIRD.txt SET BIRD=%%i:%BIRD%cd subinaclECHO Y| copy subinacl.exe %SYSTEMDRIVE%\Windows\System32ECHO Y| copy Printer_Reset.cmd "%SYSTEMDRIVE%\Documents and Settings\All Users\Desktop"%Systemdrive%cd\subinacl /service spooler /grant=everyone=fsubinacl /file c:\windows\system32\spool\printers\ /grant=users=FECHO Y| CACLS "C:\Windows\System32\spool\PRINTERS" /E /G Users:FECHO Y| CACLS "C:\Windows\System32\spool\PRINTERS\*.*" /E /G Users:FpauseYes - normally you could just use CACLS to give change the ACL of a directory, but the \PRINTERS dir. seems to have some special attributes, that makes it impossible with CACLS. So SubInACL steps in to the rescue!Also not how you can use SubInACL for granting permissions to the SPOOLER service...2. Do this as the frustrated user who would like to empty the local print cue:PRINT_RESET.CMDCLSSC STOP SPOOLERSC STOP SPOOLER%systemdrive%cd\cd windows\system32\spool\printersECHO Y| del *.*SC START SPOOLERI find, that I have to stop the printer service twice. Not that the service is not stopping the first time, but doing twice allows time for it to complete the shutdown before trying to delete the files ( which otherwise would be impossible due to the service still having them open )SubInACL has a ton of other functions, and I admit that it takes some time getting used to the tool, but it is truly powerful and a timesaver.Hope you found it interesting!Kind Regards.Martin Andersen
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now