|
|
|||||||
Greetings, Is there a way to have a kixtart script: 1. Traverse through ALL installed printers on a print server, determine its security permissions, and store its info in a array? 2. Compare those printer security permissions to a user utilizing the ingroup() function? Ultimately, if a user matches any of the security permissions of each printer, it will be dealt with accordingly. Of course this would all occur in some sort of for or while loop to traverse each printer. 3. Finally, utilize the addprinterconnection() function to finally add a user's printers. Of course this would all be done dynamically. The benefits of this: 1. If we need to add a printer, we don't need to edit any kixtart scripts (Requires less training). 2. It's easier. 3. I'll sleep better at nights 4. It will probably cut my code in half (We're talking over 1000 lines). Thanks in advance!!! Hoopes |
||||||||
|
|
|||||||
make a global group, example "PrinterA" assign users to that group in your script: if ingroup('PrinterA') $nul=addprinterconnection('\\server\printera') endif |
||||||||
|
|
|||||||
Use a standardized naming convention for the DGGs and enum them into an array. Using the newest AScan() search for a partial match on the groupname prefix. Create an INI that maps the relationship between groupname and printername/sharename. Loop through the AScan() positives and pull the printername/sharename from the INI. |
||||||||
|
|
|||||||
Unfortunately, that is what I'm already doing. what I'm hoping is to be a little more dynamic because you are still staically specifying the group and statically specifying the printer. Hopefully this is a little clearer than before: 1. Query ALL of the @USERID's groups that it belongs to 2. Query ALL of the installed printers on the print server and determine their permissions 3. Compare the @USERID's permissions to every installed printer. 4. If the printer's perms match the @USERID's perms addprinterconnection($CURRENTPRINTERINLOOP) So basically, I don't want to hardcide usernames or printer name in the script. Is that something that is possible? Thanks again! Hoopes |
||||||||
|
|
|||||||
Les, your suggestion sounds more like what I'm looking for. Do you have any snippets of code I could utilize? |
||||||||
|
|
|||||||
If you ACL the DGGs to the printers, you can skip the reading of printer ACEs. My suggestion then would fit the bill nicely. You only need to enum all the groups a user is a member of and pull out the printer DGGs. |
||||||||
|
|
|||||||
Start with the GetGroups() UDF. http://www.kixtart.org/UDF/UDF_lister.php?what=post&code=82790 AScan() is pretty straight forwward. Just make sure you have the newest KiX as partial matches are a recent addition. Read the INI with ReadProfileString(). The only challenge would be in ascertaining which printer to make default. See what you can do with that and post back when you hit a speedbump. |
||||||||
|
|
|||||||
I think you should review the following thread. I think it pertains to some of the issues you are encountering. Some of the discussion throughout the thread may be directly applicable to your situation. http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=104500 |
||||||||
|
|
|||||||
You can also assign printers by GPO on Active Directory if that meets your needs. Plenty of ways to handle this, depends on what suits you best. |
||||||||
|
|
|||||||
I would just map printers to PCs through an INI file. lots already on that subject complete with ready UDFs. |
||||||||
|
|
|||||||
OK, I just realized this is going to be a bit more complicated. Here's what I need to do: 1. (FIRST for-loop): Query ALL of the GLOBAL groups that start with glbl_grp_* (Please note * is a wildcard) from @USERID when they login and dump the results into an array called $USR_GLOBAL_GRPS[$i]. 2. (INSIDE FIRST for-loop (SECOND for-loop)): Query all of the corresponding DOMAIN LOCAL groups that contain dmlcl_grp_*_printers from $USR_GLOBAL_GRPS[$i] (Please note * is a wildcard) and dump the results into an array called $USR_PRINTER_PERMS[$j]. 3. (INSIDE FIRST for-loop (THIRD for-loop)): Query ALL of the installed printers on the print server and determine what their NAMES are and what DOMAIN LOCAL groups contain dmlcl_grp_*_printers. Dump those results into two arrays; an array called $CURRENT_PRINTER[$k] and an array called $PRINTER_PERMS[$l]. 3. (inside FIRST for-loop (FOURTH for-loop)) Once our two arrays ($USR_PRINTER_PERMS[$j] and $PRINTER_PERMS[$l]) have been populated, start traversing and comparing both arrays 4. (INSIDE FOURTH for-loop (If-statement)): If any one of the printer's DOMAIN LOCAL groups inside the $USR_PRINTER_PERMS[$j] array match any one of the DOMAIN LOCAL groups inside the $PRINTER_PERMS[$l] array, use the addprinterconnection($CURRENT_PRINTER[$k]) function to add the printer to the @USERID logging in. Please note that I am attempting to eliminate hard-coding username's groups and printers (With the exception of the naming convention dmlcl_grp_*_printers and glbl_grp_* used to populate the arrays). Also could someone please shoot me some sort of code to start with, because I'm having a hell of a time with this . Thanks in advance! Hoopes |
||||||||
|
|
|||||||
I think you have over-complicated this unnecessarily. I don't see why you need all those loops and all those arrays. You should be able to do it with one loop/one array. Show us your group naming standard so we can determine the AScan() bit. Include a sample dump of GetGroups(). |
||||||||
|
|
|||||||
getgroups returns: DOMAIN\user is a member of three groups. Domain Users glbl_grp_corp_acctpay dmlcl_grp_defprn_prn0025 The problem is that the printers use DOMAIN LOCAL groups to determine their permissions such as "dmlcl_grp_corp_acctpay_bw_printers" or "dmlcl_grp_corp_acct_clr_printers." These groups are "Member Of" glbl_grp_corp_acctpay. If we just take the DOMAIN LOCAL groups out, we have to assign the DOMAIN LOCAL groups to each user. That would suck and just isn't possible. Any suggestions? |
||||||||
|
|
|||||||
UGH! The UGLY principle. Fine for ACL'ing local resources but sucks for this task. Back to the drawing board. If you look in the reg key HKEY_CURRENT_USER\Software\KiXtart\TokenCache for that user, what local printer groups if any show? |
||||||||
|
|
|||||||
Yeah it is pretty ugly (Microsoft's best practices crap). Here's the local printer groups for that user: DOMAIN\dmlcl_grp_corp_MIS_bw_printers DOMAIN\dmlcl_grp_corp_MIS_clr_printers DOMAIN\dmlcl_grp_corp_ACCOUNTING_EVERYONE_printers Thanks again Les! Hoopes |
||||||||
|
|
|||||||
Are you able to mine those out of the KiX TokenCache? |
||||||||
|
|
|||||||
are these shown in the registry key les pointed above? |
||||||||
|
|
|||||||
I'm not sure if I could mine out the Kix TokenCache because I'm not sure if kixtart is capable of doing it. But if kixtart can, that would be fine for the user side. How would we compare it to the permissions of each printer on the print server? P.S. In reply to Lonkero, "are these shown in the registry key les pointed above?", Is what shown in the registry key les pointed out? |
||||||||
|
|
|||||||
those darn groups you just showed. les asked previously you to list the DLG's you see in the kixtart key. please do so. |
||||||||
|
|
|||||||
Quote: Why would you have to compare? Can one not safely assume that if they are in the DLG, then the DLG is ACL'd in to the printer? Is that not the whole point of this, to avoid parsing all the ACEs or all the printers? |
||||||||
|
|
|||||||
for step by step, a user that is member of one or more of these groups, do the following: 1) start regedit 2) browse to HKEY_CURRENT_USER\Software\KiXtart\TokenCache 3) write down the domain local group names you see in there 4) post the names here 5) drink a cup of coffee btw, if you do not see any of these, run kixtart once with the /f switch or delete the tokenCache key with regedit and run kixtart once. then, check the key again. |
||||||||
|
|
|||||||
Better still, instead of writing it down... 1. right-click the key and export it. 2. Feel free to edit the exported text and change a part of the SID and the doamin name for reasons of security. 3. Post the experted text here inside code tags. 4. Coffee, tea, beer, matters not. |
||||||||
|
|
|||||||
Hint: If you flush with /f, you will need to invoke InGroup() at least once to repopulate it. |
||||||||
|
|
|||||||
So if I'm reading you right, I should just do an addprinterconnection($PRINTER) on every installed printer on the print server and if doesn't work then the user didn't have access. Is that right, and if so, how would kix obtain a list of all my printers? ;--I know this code is completely incorrect but hopefully it gets ;--the point across for each $PRINTER in $MYPRINTERLIST[$PRINTER] if addprinterconnection($PRINTER) = 0 ? "$PRINTER added successfully." else ? "$PRINTER not added. Error code = @ERROR" endfor Also how would I read the DLG into a list from the Kix TokenCache |
||||||||
|
|
|||||||
huh? there are already 5 posts above showing you how to do it. some of them are hand in hand walkthroughs... |
||||||||
|
|
|||||||
Quote: You read me wrong. Let me ask a few questions. 1. Is permission the the printer assigned to specific DLGs? 2. Is the user that prints to said printer showing said DLG in TokenCache? 3. If the answer to both of those is YES, then how can the printer mapping fail? If the answer is YES, then all we need to do is to mine the printer groups from TokenCache to know what printers to map. |
||||||||
|
|
|||||||
Quote: Once you have demonstrated that they are in fact there, we will show you how. Please stop skipping ahead and try to work with us. |
||||||||
|
|
|||||||
1. Most printers are assigned multiple DLGs, so one printer may have three different DLGs based upon type, department, etc. There's not just one DLG per printer 2. Yeah, the printer DLG's that the user needs are showing in TokenCache 3. How can the printer mapping occur if the script doesn't know which printers to map? The DLGs aren't named after the printer, so even if you dig the DLGs from TokenCache how does that tell me what printers are associated with the DLGs. You'll have to excuse me ladies and gents, I'm a UNIX/Linux guy so all this crap is pretty new to me. Thanks in advance. Hoopes |
||||||||
|
|
|||||||
I already sent this to you guys but I'll send it again. This is my DLGs for TokenCache: DOMAIN\dmlcl_grp_corp_MIS_bw_printers DOMAIN\dmlcl_grp_corp_MIS_clr_printers DOMAIN\dmlcl_grp_corp_ACCOUNTING_EVERYONE_printers |
||||||||
|
|
|||||||
OK, given those three groups, what printers are ACL'd to each and are you prepared to maintain an INI file mapping the relationship of group to printer? If you are not prepared to manage an INI file then things get way more complicated in your script as every user would have to trawl through every printer's ACEs. How many printers/groups/users are we talking about? You could write an admin script that builds/maintains the INI file so that the users would not have to do so much heavy lifting. |
||||||||
|
|
|||||||
I have 11 printers ACL'd to those three groups. I would prefer not to maintain an .ini file to map the relationship fo group to printer if anyway possible. That's the only downfall to this whole thing; we would have to traverse through every printer but the upside is we dont have to maintain additional lists, .ini's, or edit scripts. We have about 50 printers, 35 printer DLGs, and 250 users Hope that helps. Hoopes |
||||||||
|
|
|||||||
Sounds like you are tying your own hands with self-imposed constraints. In that case you may as well just parse through all the printer shares and map the ones that can be mapped. |
||||||||
|
|
|||||||
What would be the most efficient way to parse through all the printer shares? |
||||||||
|
|
|||||||
Quote: An ini file perhaps stored in NETLOGON Much easier though is to forget about your DLG and ACL the DGG like most Admins do. Cut and dried, over and done with in a few minutes. |
||||||||
|
|
|||||||
doc, not really most efficient... looping the share is doable without any files. a simple example... winnt provider. it can list shares, right? not sure does it list print shares though. don't have a single printer share to test on Code:
|
||||||||
|
|
|||||||
oh, just remembered this udf: http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=83465 it's wmi but I know it works without testing it |
||||||||
|
|
|||||||
If they are published to AD, then ADO can pull them otherwise WMI can get them directly from the printserver. Perms could get in the way for WMI. |
||||||||
|
|
|||||||
Les, How does ADO pull them? |
||||||||
|
|
|||||||
A quick search on MSFT turned up this: VBS Code: Const ADS_SCOPE_SUBTREE = 2 |
||||||||
|
|
|||||||
Quote: Not sure what you're talking about there Jooel. I can pretty much gurantee you that the hundreds of thousands of Admins around the World sure the heck are not running around going through all these hoops/loops/special coding/special ACL junk. Using Global groups for this task is the EASIEST method period. Can it be done other ways, sure as we see here in this crazy thread, but find me one question on any test for Microsoft Networking that would even attempt to explain that you would do special coding to map a printer for the user.. I'm not a big fan of mapping a printer for a user automatically anyways. It's not rocket science. Teach the user or have the help desk do it, it's not something that has to be done daily or even weekly. |
||||||||
|
|
|||||||
I don't map any printer to any user in any script. Users map their own printers. Browse to the printserver and doubleclick on the share. How hard can it be? |
||||||||
|
|
|||||||
Ditto, but if / when someone does script it, they don't do it the odd methods suggested above either. In fact this is the only thread that comes to mind where this has been such an issue. Normally the only real difficulty for some is when the PRINTER NAME and SHARE NAME do not match. Once they figure that out they're up and running and happy. |
||||||||
|
|
|||||||
You must have selective amnesia. There are many posts where printers are mapped, some using INI files and there are a few UDFs posted to facilitate it. This however, is the first request I've seen where all available printers are to be mapped by ACLs. |
||||||||
|
|
|||||||
Quote:Quote: wtf? I never said one should go with any junk. nor I never ever said global groups couldn't be used. what I said was that your efficiency comment on the ini-file usage was wrong. |
||||||||
|
|
|||||||
I'm sorry Jooel I mis-read your comment. Yes if one wants to grab that data then there are a few ways, but still think this whole idea of how to map the printers is half baked. Do it the normal way and be done with it. |