Apple added a "feature" to Leopard which restricts non administrator users from managing printers on their Macs. While this is desired behavior on a public machine such as a classroom, it is a problem for single user machines such as faculty, staff and 1:1 deployments.
By default in Leopard, a non-admin user can not add or remove printers. They are also not able to hold or resume a print job. This is a problem if you want users to be able to add printers themselves, especially if they’re bringing their laptops home.
Some tips out there will suggest you modify /etc/authorization however there is no printing specific key in here, you would have to grant access to all secure preference panes which is probably not want you want to do.
The better way is to modify the /etc/cups/cupsd.conf file. Open this file in your favorite text editor (such as vi, pico or TextWrangler) and look for this section:
55 56 57 58 59 60
# All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit>
Replace the “Require user” line with this one:
Require user @AUTHKEY(system.print.admin) @admin @lpadmin
All users are members of the lpadmin group on Leopard. This will allow all users to add or remove a printer or printer class. I’ve tried only adding @ldadmin to the end of that line but it didn’t work for me. Alternatively, I believe you can just remove the specific operations such as the "CUPS-Add-Modify-Printer" operator. Using this method will allow you to fine tune the exact operations you want to allow or deny.
You may also want to allow your users to hold or resume print jobs. Look for this section:
62 63 64 65 66 67
# All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @AUTHKEY(system.print.admin) @admin @lpadmin Order deny,allow </Limit>
You would think that @OWNER would allow the owner of the print job to hold or resume that job, but not so. For this section, you can simply add @ldadmin to the end of the “Require user” line.
For more information on this file, or a description of all the operators, see the cupsd.conf documentation.
You can push this modified file out with ARD, or what I did is create a package installer and a postflight script which contains the following:
#!/bin/sh <P>/usr/bin/killall -HUP cupsd
This will ensure the changes are immediately in affect. Then you can push the package through ARD, LANDesk or whatever your preferred deployment tool is. I also add the package to our Deploy Studio workflows that are intended for faculty and staff machines.
Hopefully doing this will limit the number of requests you get for such a trivial task as adding a printer or resuming a print job after a paper jam.