RE: Problem with Win32 Perms...

[Rosenkoetter, Ronald]

Well... this answer is about 6 months too late, but I thought I’d respond anyway in case someone else is looking for the answer in these archives.   I had the EXACT same problem detailed below... I couldn’t figure out how to give a user or group the Manage Documents permission on a printer. After playing with it for HOURS... I was checking these archives and saw your question, but no answers for it. BECAUSE you mentioned the two entries in the ACL, an idea came to me.   The trick lies in the ACE Flags. When you don’t specify an ACE Flag in the Add command, the default is CONTAINER_INHERIT_ACE. Giving a printer FULL permission with CONTAINER_INHERIT_ACE gives you the Manage Printers and Print permissions, but not the Manage Documents permission.   Like you noticed, users set manually with Manage Printers AND Manage Documents had TWO entries in the ACL... And if you look at the Windows 2000\XP Permissions window (Advanced button), you’ll see that Manage Printers/Print applies to “This Printer only” while Manage Documents applies to “Documents only”.   I started wondering if Documents were considered objects inside a Printer container... so I ran a script to Decode the Mask and Flag on the existing settings,   That’s where I saw that the Manage Documents permission had an ACE Flag of INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE. So I tried giving the user FULL permission using THAT ACE Flag... and it works.   So, in Windows 2000/XP.... here is the code to give a user or group permissions....   Print:   $PermsPrinter->Allow(“<username>”,PRINTER_WRITE); Manage Printers (and Print):   $PermsPrinter->Allow("<username>",FULL); Manage Documents:   $PermsPrinter->Allow("<username>",FULL,INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE);   Or you can use Add instead of Allow, but then you have to modify the Manage Documents line to include the Type (No need to modify the first two (beyond changing Allow to Add) because you’re using the default Type and Flag):   $PermsPrinter->Add("<username>",FULL,ALLOW,INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE);     So I answered the question (which I’m pretty proud of – this is my first post on this mailing list), but I couldn’t have done it without reading YOUR observations... That’s what got me thinking in the right direction... Thanks!!   Now hopefully this helps the next person to come along....     [EMAIL PROTECTED]   Everyone, I have 275 print queues that I need to manipulate.  I need to give a user full control over the queue. Wanting to script this in some way, I've come up with this: use Win32::Perms;$Dir = new Win32::Perms( 'printer://hera/testperm' ) || die;$Dir->Add('helpdesk',FULL);$Dir->Set(); This gets me half way there, when I check the permissions on the printer, the user, helpdesk, now has print and manage printers, but not the manage documents permission. Does anyone know what I may need to do to get that permission as well? Here's something I've observed: Users which do have manage documents have 2 entries in the ACL, while the code I ran gives helpdesk only 1 entry: Descretionary ACL:Index Account                                  Mask       Type       Flag----- ---------------------------------------- ---------- ---------- ----------     0 BUILTIN\Administrators                   0x000f000c Allow      0x00000000     1 BUILTIN\Administrators                   0x000f0010 Allow      0x00000009     2 CREATOR OWNER                            0x00020000 Allow      0x0000000a     3 CREATOR OWNER                            0x000f0010 Allow      0x00000009     4 Everyone                                 0x00020008 Allow      0x00000000     5                                          0x000f000c Allow      0x00000000     6                                          0x000f0010 Allow      0x00000009     7                                          0x000f000c Allow      0x00000000     8                                          0x000f0010 Allow      0x00000009     9 GENESEO\helpdesk                         0x000f000c Allow      0x00000002   I guess I'm asking how to grant the mask 0x00f0010 to the documents, as well as the 0x00f00c to the printer, which I can grant with the mask "FULL." Thanks, everyone! -Rick