Set permissions per group on printers

The normal way to disable printers is to stop the spooler service. The disadvantage is that no user can print anymore, including the admins.

Or if a division just works an hour longer than another division. For this case you need “setacl” in /system32.  ->Get here

Following code sets the permission “print” for the group “Consulting” on the printer “Prin1″ at the server “server”  (you have to work with sharenames of the printers).Domainname: corp.com

1. Create an batchfile with the code:

setacl.exe -on “\\server\print1″ -ot prn -actn ace -ace “n:corp.com\Consulting;p:print”

For other permissions and more details visit http://setacl.sourceforge.net/

2. Now you need a batchfile which erases this permission:

setacl.exe -on “\\server\print1″ -ot prn -actn trustee -trst “n1:corp.com\Consulting;ta:remtrst;w:dacl”

3. Create  jobs in the “Schedule Tasks” for each batchfile

LDAP Browser

Tipp

The Microsoft Standard “Active Directory Computer ans User” is a good tool to manage your AD. If you need ato get deeper, for example to see the exact cn’s and dc’s I prefer the LDAP Browser. -> Get here

Import many users into AD

Functions

• Import many users with one click
• Create Home Directories per user automatically

Requirements

• The Files “add.vbs”, “user.txt”, “dir.cmd” in the Netlogon Dir of your Domain Controller
• “xcacls” in /system32  ->Get here
• A directory named “Home$” on a server
• A script which mapps network drives ->Comming soon
• An OU “groups” where all Groups are stored

Code

##Content of “add.vbs”##

Dim fso, f, row, field
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set f = fso.OpenTextFile (“user.txt”,1,0)

Do while not f.AtEndOfLine
row = f.readLine
field = split(row,”,”)
User = field(0)
Prename = field(1)
Name = field(2)
Password = field(3)
Division1 = field(4)
Division2 = field(5)
Call createuser(User,Prename,Name,Password,Division1,Division2)
Loop
f.Close
msgbox “Finished”
Wscript.Quit(0)

Sub createuser(User,Prename,Name,Password,Division1,Division2)
Dim ouo, b, objGroup

Set ouo = GetObject(“LDAP://OU=” & Division2 &”,OU=” &Division1 &”,OU=NameOfOU,DC=NameOfCorp,DC=InMostCasecom”)
Set b = ouo.Create(“user”, “CN=”& Prename & ” ” & Name)
Dim WshShell, ret
Set WshShell = WScript.CreateObject(“WScript.Shell”)
b.Put “sAMAccountName”, User
b.Put “displayName”, Prename & ” ” & Name
b.Put “givenName”, Prename
b.Put “sn”, Name
b.Put “userAccountControl”, 66082
b.Put “userPrincipalName”, User & “@NameOfCorp.InMostCasecom”
b.Put “homeDirectory”, “\\server\Home$\” &User
b.Put “homeDrive”, “H:”
b.put “scriptPath”, “Networkdrive.bat”     ## If you wanto to, else erase this line##
b.SetInfo
b.SetPassword Password
b.AccountDisabled = False
b.SetInfo

##Add users to groups##
Const ADS_PROPERTY_APPEND = 3
Set objGroup = GetObject(“LDAP://cn=” & Division1 &”,ou=Groups,ou=NameOfOu,dc=NameOfCorp,dc=InMostCasecom”)
‘wscript.echo “cn=” &User &”,ou=” & Division2 &”,ou=” &Division1 &”,ou=NameOfOu,dc=NameOfCorp,dc=InMostCasecom”
objGroup.PutEx ADS_PROPERTY_APPEND,”member”, Array(“CN=”& Prename & ” ” & Name &”,ou=” & Division2 &”,ou=” & Division1 &”,ou=NameOfOU,dc=NameOfCorp,dc=InMostCasecom”)
objGroup.SetInfo

WScript.Sleep(1000)
ret = WshShell.Run (“dir.cmd ” & User,0,1)
End Sub

##Content of “dir.cmd”##

md \\server\Home$\%1
xcacls \\server\Home$\%1 /C /E /Y /G Administratoren:F
xcacls \\server\Home$\%1 /C /E /Y /G %1:C
xcacls \\server\Home$\%1 /C /E /Y /G System:F

##Content of “user.txt” for user John Doe##

JDoe,John,Doe,PasswordAsYouWant,Division1AsYouWant,Division2AsYouWant