Instructions for Setting Up Authenticated Printer Management

Objective:

Restrict printing to network color printers using an administrative username and password without giving full administrative access to non-admin users.

Problems:

Setup a network user in Workgroup Manager with server admin privileges but name and password does not work with managed printers. Printing works with local admin name and password, but gives users too much access to workstation settings.

Possible solution:

Create local "printadmin" user and "printadmin" group. Edit authorization file in local etc folder to add printadmin group rule. These instructions are designed to use Apple Remote Desktop to modify an entire lab or school using "niutil" via UNIX commands.

Instructions:

1) Use niutil via Apple Remote Desktop to create printadmin user and group with the following commands:

Creates group printadmin with users root, admin and printadmin as members.

niutil -create / /groups/printadmin
niutil -createprop / /groups/printadmin realname "Print Admin"
niutil -createprop / /groups/printadmin gid 700
niutil -createprop / /groups/printadmin users "(root, admin, printadmin)"

Creates new user printadmin

niutil -create / /users/printadmin
niutil -createprop / /users/printadmin uid 700
niutil -createprop / /users/printadmin realname "Print Admin"
niutil -createprop / /users/printadmin home "/Users/printadmin"
niutil -createprop / /users/printadmin shell "/dev/null"
niutil -createprop / /users/printadmin gid 700
niutil -createprop / /users/printadmin passwd "*"

Creates password for printadmin user.

dscl . -passwd /Users/printadmin "password"


2) Modify /etc/authorization by changing:

<key>system.printingmanager</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The following right is checked for printing to locked printers.</string>
<key>rule</key>
<string>authenticate-admin</string>
</dict>

to:

<key>system.printingmanager</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The following right is checked for printing to locked printers.</string>
<key>rule</key>
<string>authenticate-printadmin</string>
</dict>


3) Modify /etc/authorization by adding this rule:

<key>authenticate-printadmin</key>
<dict>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>require the user asking for authorization to authenticate as a member of the printadmin group</string>
<key>group</key>
<string>printadmin</string>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>0</integer>
</dict>


4) Copy modified authorization file to workstations using ARD.


5) When users choose to print, they are asked for the password from a user in printadmin group (printadmin), which is a user/password that will ONLY authorise printing (non-admin user) and nothing else.


Download modified authorization file and instructions in a text file authenticatedprinting.zip 8kb.