Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5 Allow non-admin users to add and remove printers System 10.5
pMy techs and I were searching for a way to allow non-admin users to add and remove printers under 10.5. Unfortunately, we could only find a few hints that involved modifying /etc/cups/cupsd.conf -- which did not really meet our needs (those hints did not allow a standard way for a non-admin user to remove printers). So, here's our solution...

Please note that we have only tested this a few times, but it seems to work. What we're doing is editing /etc/authorization. More specifically, we're changing the system.preferences dictionary item within the authorization file so that the group string is set to everyone, rather than admin. One way to do this through the GUI is to copy /etc/authorization to your desktop, add .plist to the end of the filename, edit the file with Property List Editor, save, and remove the .plist extension. Then replace the original authorization file in /etc with your edited copy -- please make a backup of the original before replacing! Be sure to check permissions of the new file after copying it. This seems to open up the ability to add/remove printers to anyone -- beware, though, that it also opens up a few, select, other System Preferences, but nothing that cannot be managed through Workgroup Manager.

After some more testing, we plan to blast out our modified /etc/authorization file with FileWave -- unless we get flamed on here for some obvious mistake :-). As for a CLI method, here's what seems to work (and potentially could be pushed out via Apple Remote Desktop):
$ cp -pr /etc/authorization /etc/authorization-original
$ cp -pr /etc/authorization /tmp/authorization.plist
$ defaults write /tmp/authorization rights -dict-add system.preferences "<dict><key>allow-root</key><true/><key>class</key><string>user</string><key>comment</key><string>MODIFIED BY SYSTEMS ADMINISTRATOR TO ALLOW ANYONE TO ADD PRINTERS. Note: This does open up other system preferences. - Checked by the Admin framework when making changes to certain System Preferences.</string><key>group</key><string>everyone</string><key>shared</key><true/></dict>"
$ mv /tmp/authorization.plist /etc/authorization
Hope this helps someone else out too!

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.56 / 5
  You rated: 3 / 5 (9 votes cast)
 
[25,977 views]  

10.5 Allow non-admin users to add and remove printers | 10 comments | Create New Account
Click here to return to the '10.5 Allow non-admin users to add and remove printers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5 Allow non-admin users to add and remove printers
Authored by: mbenchoff on Oct 08, '08 07:42:48AM

I don't understand why you don't enable Parental Controls on these non-admin accounts and check the "Can administer printers" box? Seems much simpler than your solution, and pretty much guaranteed not to change with future system updates.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: macsadmn on Oct 08, '08 09:26:20AM

We're dealing with large numbers of computers here and a large number of users - users that have network-based home directories and those that have portable home directories. It would be a management nightmare to go through and set the parental controls for every portable account that gets created... and I don't think that can even be done for the network-based home directory accounts.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: lugal on Oct 08, '08 07:54:18AM
If you just need to let users add printers, try this instead: http://mattson.edgemereroadrunners.com/?p=291

[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: dhoit on Oct 08, '08 09:32:31AM

This is a bad idea. You are allowing access to a lot of things that should be restricted in your quest to open printing to standard users. (Also, the security command line tool should be used to make changes to /etc/authorization in 10.5+.)
The better solution here is to edit the cupsd.conf file in /etc/cups/. With a simple one line change, you can grant access to standard users. The modified cupsd.conf file can be pushed to all your machines, and you don't risk hosing things by mucking around with the authorization database.
Under the section commented "#All administration operations require an administrator to authenticate", you will find a line that looks like "Require user @SYSTEM" . Replace it with the line "Require user @AUTHKEY(system.print.admin) @admin @lpadmin"
All users are part of lpadmin by default, so all users now have access to add printers.
The only catch to this is, limited users can't add printers from the System Preferences control panel. The unlock key there is not for the cups printing authorization we just changed, but for the panel, and uses an /etc/authorization general rule for system preferences. When the user clicks print in an application though, they can choose "add printer" and get the standard add printer form. Everything works as expected from there.
Related: man cupsd.conf, man security


---
--DH



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: macsadmn on Oct 08, '08 09:48:23AM

Thanks for the feedback. We were not aware that there is a security command line tool to modify /etc/authorization; we'll definitely have to look into that. As for allowing access to a lot of other things... that's why I mentioned using Workgroup Manager to lock those "other" system preferences down. As previously stated, we are aware of the hints that involved modifying /etc/cups/cupsd.conf, but..."those hints did not allow a standard way for a non-admin user to [add and] remove printers" (i.e. through the system preference).

If only Apple would allow a user or group defined option of adding and removing printers in 10.5 manageable through Workgroup Manager :-)

Thanks again for the feedback.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: dhoit on Oct 08, '08 11:01:51AM

Well, I can't force you to leave it alone, but I would highly suggest you avoid making that specific change to authorization.
Its a pain that Apple has left so much of System Preferences at the default admin ruleset, but until they fix it, changing that one setting opens the door to a lot of other things.
If you are really worried about the user being able to add printers in "A standardized way" and doing it from the print dialog is not good enough, you can always make an alias to /System/Library/CoreServices/AddPrinter and place it on their dock. They get an easy way to make em, but not delete them. (although a link to localhost:631/printers provides an easy enough delete...)

Good luck.


---
--DH



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: tmoldovan on Oct 10, '08 09:41:40AM

Thank you!



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: larsskovgaard on Oct 08, '08 01:00:55PM

A fairly simple way of adding a printer when you're a non-admin is to open up an app that uses the built-in print-dialogue, like e.g. TextEdit.app, then press Command-P to open the print-dialogue. In the printer-selection popup, there is an option to install a printer. This works well even for non-admins.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: ssevenup on Oct 08, '08 03:06:40PM

Reading all this it seems to me the way to do this is to push a replacement cupsd.conf out via ARD. I agree changing /etc/authorization to get this one change is a mistake.

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.



[ Reply to This | # ]
10.5 Allow non-admin users to add and remove printers
Authored by: geek-e on Oct 09, '08 09:50:30AM
We're in the same boat. No users in our environment are admins and that's saved us quite a few times. However not being able to delete a printer is overdoing it a bit. We're evaluating the option of pointing users to http://127.0.0.1:631
Turns out a non-admin user can delete printers from there...

[ Reply to This | # ]