SOLVED: PowerShell Script To List Each User / Groups Access to Printers

This article answers the questions, ‘who has access to that printer and what permissions do they have?’

We recently had a large multinational company go through a security audit in which a list of Each user or group listed in the permissions of each printer was required. After struggling for several hours with problems related to translating SIDS and the text name for each ACE, we finally came up with this script:

The last line of the script output a file called PrinterUsers.csv to the location that the script is run from. If you want to change that, go ahead.

Other than that the only thing we couldn’t get to work was the translation of the ACE from 983052 one to “ManagePrinters”, so we did that manually after the fact in Excel.

It is also worth noting that this script takes special care to list the SID of users that it cannot translate to a username. That should only happen when the user or group no longer exists in active directory. To help you with this it is useful to know that SIDS that begin with S-1-5-21 were users and sids that begin with S-1-5-32 were groups.

# Retrieve all printers on the system
$printers = Get-Printer | Where-Object { $_.Type -eq "Local" }

# Create an empty array to store the results
$results = @()

# Loop through each printer
foreach ($printer in $printers) {
    # Get the security descriptor for the printer
    $securityDescriptor = Get-Printer -Name $printer.Name -Full | Select-Object -ExpandProperty PermissionSDDL
    # Convert the SDDL to a more readable format (optional)
    $acl = (New-Object System.Security.AccessControl.CommonSecurityDescriptor($false, $false, $securityDescriptor)).DiscretionaryAcl

    # Loop through each Access Control Entry (ACE) in the ACL
    foreach ($ace in $acl) {
        try {
            # Translate the SID to a username or group name
            $identity = (New-Object System.Security.Principal.SecurityIdentifier($ace.SecurityIdentifier)).Translate([System.Security.Principal.NTAccount])

            # Convert the numeric permissions to a text string
            $permissions = [System.Security.AccessControl.FileSystemRights]$ace.AccessMask

            # Create a custom object with printer name, identity, and permissions
            $obj = New-Object PSObject -Property @{
                PrinterName = $printer.Name
                UserOrGroupName = $identity.Value
                Permissions = $permissions.ToString()
                AceType = $ace.AceType
            }
            # Add the custom object to the results array
            $results += $obj
        } catch {
            # Ignore translation failures and continue with the next ACE
            Write-Warning "Unable to translate identity reference for printer $($printer.Name)"
            # Include the SID and permissions in the results
            $obj = New-Object PSObject -Property @{
                PrinterName = $printer.Name
                UserOrGroupName = $ace.SecurityIdentifier.Value
                Permissions = $ace.AccessMask
                AceType = $ace.AceType
            }
            $results += $obj
        }
    }
}

# Export the results to a CSV file
$results | Export-Csv -Path "PrinterUsers.csv" -NoTypeInformation

Printer ACE Permission Code Translation

We had a heck of a time getting the script to translate it’s ACE permission codes into text telling us what it actually means. In the end we found this list you might find helpful.

983052 = ManagePrinters
983088 = ManageDocuments
131080 = Print 
524288 = TakeOwnership
131072 = ReadPermissions
262144 = ChangePermissions