Allow Non-Admin users to Manage Printers
Apple added a "feature" to Leopard which restricts non administrator users from managing printers on their Macs. While this is desired behavior on a public machine such as a classroom, it is a problem for single user machines such as faculty, staff and 1:1 deployments.
By default in Leopard, a non-admin user can not add or remove printers. They are also not able to hold or resume a print job. This is a problem if you want users to be able to add printers themselves, especially if they’re bringing their laptops home.
Some tips out there will suggest you modify /etc/authorization however there is no printing specific key in here, you would have to grant access to all secure preference panes which is probably not want you want to do.
The better way is to modify the /etc/cups/cupsd.conf file. Open this file in your favorite text editor (such as vi, pico or TextWrangler) and look for this section:
55 56 57 58 59 60 | # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> |
Replace the “Require user” line with this one:
Require user @AUTHKEY(system.print.admin) @admin @lpadmin
All users are members of the lpadmin group on Leopard. This will allow all users to add or remove a printer or printer class. I’ve tried only adding @ldadmin to the end of that line but it didn’t work for me. Alternatively, I believe you can just remove the specific operations such as the "CUPS-Add-Modify-Printer" operator. Using this method will allow you to fine tune the exact operations you want to allow or deny.
You may also want to allow your users to hold or resume print jobs. Look for this section:
62 63 64 65 66 67 | # All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @AUTHKEY(system.print.admin) @admin @lpadmin Order deny,allow </Limit> |
You would think that @OWNER would allow the owner of the print job to hold or resume that job, but not so. For this section, you can simply add @ldadmin to the end of the “Require user” line.
For more information on this file, or a description of all the operators, see the cupsd.conf documentation.
You can push this modified file out with ARD, or what I did is create a package installer and a postflight script which contains the following:
#!/bin/sh <P>/usr/bin/killall -HUP cupsd
This will ensure the changes are immediately in affect. Then you can push the package through ARD, LANDesk or whatever your preferred deployment tool is. I also add the package to our Deploy Studio workflows that are intended for faculty and staff machines.
Hopefully doing this will limit the number of requests you get for such a trivial task as adding a printer or resuming a print job after a paper jam.
Related posts:
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Hey,
This does not work for me, printers remained locked for non-admin users
I’ve tried this too and it will not work. I’ve tried many variations and no luck. The padlock still remains locked and the plus and minus buttons are still disabled. I even tried commenting out the whole section as suggested by another website and that didn’t work either.
Look here. It explains it all.
http://lists.psu.edu/cgi-bin/wa?A2=ind0902&L=MACENTERPRISE&D=0&P=280601
Good luck
The “padlock” in System Preferences is not managed by the cupsd configuration or by the group management stuff. It’s controlled by /etc/authorization.
However, you don’t need access to that panel to add printers. Go: File > Print > Add Printer. It’s the exact same panel that is spawned from System Preferences. Or if you’re feeling lucky, go rooting around in /System/Library/CoreServices for the AddPrinter application (it is its own separate application, and just doesn’t have a Dock icon).
The “padlock” does not reflect your printer controlling privileges. It only reflects your ability (or not) to get through the System Preferences UI.
If you want to open all printer functions for all users there are 2 keys in /etc/authorization which are specific to printing, contrary to your post. They are “system.print.admin” and “is-lpadmin”. If you change the “group” setting under each key to “staff” then anyone can do everything with printers. The padlock will show locked but you will be able to make changes as non-admin users. The best vehicle to make these changes is PlistBuddy.
JD, what version of the OS did you apply this change to? 10.5.8 has the system.print.admin entry you refer to but 10.5.6 does not?
OS version must be 10.5.7 or better to fix via editing /etc/authorization. This is the update in which Apple changed how printing works. This is what makes the changes necessary in the first place. 10.5.6 and below you shouldn’t have to mess with anything that I can remember.
This post was from pre-10.5.7.