Sunday, August 7, 2016

[Quick Tip] Using Centrify GPOs to allow OSX users to control print queues


OS X users without administrative rights get challenged each time they need to stop/resume print queues.  Organizations looking to implement the least privilege management security model may need to provide ways for users to be "print operators" on a Mac, without granting full administrative rights.  The "Printers and Scanners" system preference does not provide granular entitlements.
This issue may cause many calls to the helpdesk
This post covers a way to overcome this issue using AD security groups and the "Map zone groups to local groups" Centrify GPO.

The idea is that you map an AD security group to the _lpadmin and _lpoperator local groups of the system.

What you'll need:
  1. An AD Security Group and the ability to control memberships.
  2. The ability to modify GPOs that apply to your Macs using the Centrify templates and GPMC/GP Editor.

Create and populate an AD group
  1. Use ADUC, PowerShell, request system or any tool of record to request an AD group.  Give it a descriptive name like "mac-print-admins"
  2. Populate the group with the AD users that will be allowed to manipulate queues.
Edit the "Map zone groups to local group" GPO
  1. Open GPMC and browse to the GPO that applies to your Mac.  Right click and select edit.
  2. In GP Editor, browse to Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts and double-click the Map zone groups to local group GPO.
  3. Press add and and in local group type _lpadmin, then browse for the AD group created in the previous step.  (e.g. mac-print-admins).
  4. Repeat same process on step 3 with the local group _lpoperator.  At the end, the GPO looks like this:
  5. Press OK and close GP Editor and GPMC.

Refresh the GPOs on the Mac and verify your results
  1. Log on to the Mac as a non-admin user that is a member of the AD group created in the first section.
  2. Open a Terminal.
  3. First, refresh the group policies by running the adgpupdate command.  (adgpupdate -T computer)
  4. Now verify that the GPO is effective by running adgpresult  (adgpresult | grep _lp)
Your user should not be challenged moving forward to pause/resume print queues, plus the user does not have admin rights, therefore you're aligned with the least access principle.

Quick verification video

No comments:

Post a Comment