Allow Non-Admin users to Manage Printers

by on January 24, 2009 » Add more comments.

Apple added a "feature" to Leopard which restricts non administrator users from managing printers on their Macs. While this is desired behavior on a public machine such as a classroom, it is a problem for single user machines such as faculty, staff and 1:1 deployments.

By default in Leopard, a non-admin user can not add or remove printers. They are also not able to hold or resume a print job. This is a problem if you want users to be able to add printers themselves, especially if they’re bringing their laptops home.

Some tips out there will suggest you modify /etc/authorization however there is no printing specific key in here, you would have to grant access to all secure preference panes which is probably not want you want to do.

The better way is to modify the /etc/cups/cupsd.conf file. Open this file in your favorite text editor (such as vi, pico or TextWrangler) and look for this section:

55
56
57
58
59
60
 # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
</Limit>

Replace the “Require user” line with this one:

Require user @AUTHKEY(system.print.admin) @admin @lpadmin

All users are members of the lpadmin group on Leopard. This will allow all users to add or remove a printer or printer class. I’ve tried only adding @ldadmin to the end of that line but it didn’t work for me. Alternatively, I believe you can just remove the specific operations such as the "CUPS-Add-Modify-Printer" operator. Using this method will allow you to fine tune the exact operations you want to allow or deny.

You may also want to allow your users to hold or resume print jobs. Look for this section:

62
63
64
65
66
67
  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @AUTHKEY(system.print.admin) @admin @lpadmin
    Order deny,allow
  </Limit>

You would think that @OWNER would allow the owner of the print job to hold or resume that job, but not so. For this section, you can simply add @ldadmin to the end of the “Require user” line.

For more information on this file, or a description of all the operators, see the cupsd.conf documentation.

You can push this modified file out with ARD, or what I did is create a package installer and a postflight script which contains the following:

#!/bin/sh
<P>/usr/bin/killall -HUP cupsd

This will ensure the changes are immediately in affect. Then you can push the package through ARD, LANDesk or whatever your preferred deployment tool is. I also add the package to our Deploy Studio workflows that are intended for faculty and staff machines.

Hopefully doing this will limit the number of requests you get for such a trivial task as adding a printer or resuming a print job after a paper jam.

Find more like this: AD Integration, Automation, Desktop Management, Mac, Software, Software Packaging, Unix , , , , , , , ,


15 Responses to Allow Non-Admin users to Manage Printers

  • mike says:

    Hey,

    This does not work for me, printers remained locked for non-admin users

  • Jeff says:

    I’ve tried this too and it will not work. I’ve tried many variations and no luck. The padlock still remains locked and the plus and minus buttons are still disabled. I even tried commenting out the whole section as suggested by another website and that didn’t work either.

  • TGB says:

    The “padlock” in System Preferences is not managed by the cupsd configuration or by the group management stuff. It’s controlled by /etc/authorization.

    However, you don’t need access to that panel to add printers. Go: File > Print > Add Printer. It’s the exact same panel that is spawned from System Preferences. Or if you’re feeling lucky, go rooting around in /System/Library/CoreServices for the AddPrinter application (it is its own separate application, and just doesn’t have a Dock icon).

    The “padlock” does not reflect your printer controlling privileges. It only reflects your ability (or not) to get through the System Preferences UI.

  • JD says:

    If you want to open all printer functions for all users there are 2 keys in /etc/authorization which are specific to printing, contrary to your post. They are “system.print.admin” and “is-lpadmin”. If you change the “group” setting under each key to “staff” then anyone can do everything with printers. The padlock will show locked but you will be able to make changes as non-admin users. The best vehicle to make these changes is PlistBuddy.

  • JD, what version of the OS did you apply this change to? 10.5.8 has the system.print.admin entry you refer to but 10.5.6 does not?

  • JD says:

    OS version must be 10.5.7 or better to fix via editing /etc/authorization. This is the update in which Apple changed how printing works. This is what makes the changes necessary in the first place. 10.5.6 and below you shouldn’t have to mess with anything that I can remember.

  • Patrick says:

    This post was from pre-10.5.7.

  • I use 10.5.7 but it is still not working. Are there other ways? Can you also explain how to do it step by step?

  • Roy says:

    JD, your solution of listing “staff” as enabled group will only allow members of the staff group to perform modifications. Depending upon which version of the OS was initially used on a computer, and which version of the OS is currently being used, any given user may or may not belong to the group “staff” (uid=20)

    to enable everyone’s access to printer configs, I suspect it is better to use the group “everyone”, rather than “staff”

  • James says:

    I tried this suggestions on this page, but I’m running 10.6.8 and it doesn’t seem to work.

    Frankly, I don’t want my users to be able to add or remove printers. I want control of that. But I do want them to be able to unpause printers. How can I accomplish this? What would a 10.6.x fix look like?

  • Bob says:

    I just updated my snow leopard software on 10/14/11. Now I get the message that I have to type in an administrator ID and password to be able to print. It talks about the print operator group.. but I have always had all users of this machine able to print without typing in the admin password. Otherwise it would be a PITA for me. Prior to this update, I did not have this problem. I checked my system prefs and it says “anyone can print” in the fax and print box. what gives? Bob

  • iWIC says:

    This work around does not seem to work for us as well.

    Here’s our story… We have Macs bound to Active Directory. Users are allowed to login to these Mac using their AD credentials.

    1. We have a Windows print server setup, and printers are displayed as Open Directory in the Add Printer System Preferences setting. The Printer & Fax in the System Preferences is normally locked on a standard end user without elevated rights. Attempting to add a local or network shared printer calls for an account with admin rights, either a local admin admin account or a domain admin. Of course unlocking the Printer & Fax portion with an account with admin rights then unlocks everything else in the System Preferences such as Accounts, Security, etc. settings. Any way around this? -Where a standard users can connect themselves to a network printer? In contrast, in the Windows evironment, standard AD users are allowed to connect themselves to a network printer without being prompted for an account with elevated rights. -Of course, we have granted them permission through user and group security settings. However, is there an equivalent in the Mac environment?

    2. Next… We have a shared printer configured on one Mac. From time to time with other Mac client computers printing to it, when there’s a jam, or to cancel a print job, or anytime where the printer needs some user intervention, clients are prompted with “Type the name and password of a user in the “Print Operator” group to allow {printer name or ip} @{computer name}.app to make changes.” We’ve entered in a local admin account which resides on the Mac with the shared printer, and still no go. Both local admin account on other Mac client workstations and domain accounts do not work as well. Any suggestions with a fix for this? Also, any idea what’s going on here?

    Would purchasing a Mac OS Server, attached to AD as well, solve these issues?

  • JasT says:

    IWic, we are having the exact same issue. Any solution yet? Anyone else any help would be appreciated.

  • SURIYA says:

    i am need how to set password permissions in security while expoting pdf using apple script

Leave a Reply

Your email address will not be published. Required fields are marked *