OS X users without administrative rights get challenged each time they need to stop/resume print queues. Organizations looking to implement the least privilege management security model may need to provide ways for users to be "print operators" on a Mac, without granting full administrative rights. The "Printers and Scanners" system preference does not provide granular entitlements.
|This issue may cause many calls to the helpdesk|
The idea is that you map an AD security group to the _lpadmin and _lpoperator local groups of the system.
What you'll need:
- An AD Security Group and the ability to control memberships.
- The ability to modify GPOs that apply to your Macs using the Centrify templates and GPMC/GP Editor.
Create and populate an AD group
- Use ADUC, PowerShell, request system or any tool of record to request an AD group. Give it a descriptive name like "mac-print-admins"
- Populate the group with the AD users that will be allowed to manipulate queues.
- Open GPMC and browse to the GPO that applies to your Mac. Right click and select edit.
- In GP Editor, browse to Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts and double-click the Map zone groups to local group GPO.
- Press add and and in local group type _lpadmin, then browse for the AD group created in the previous step. (e.g. mac-print-admins).
- Repeat same process on step 3 with the local group _lpoperator. At the end, the GPO looks like this:
- Press OK and close GP Editor and GPMC.
Refresh the GPOs on the Mac and verify your results
- Log on to the Mac as a non-admin user that is a member of the AD group created in the first section.
- Open a Terminal.
- First, refresh the group policies by running the adgpupdate command. (adgpupdate -T computer)
- Now verify that the GPO is effective by running adgpresult (adgpresult | grep _lp)
Quick verification video