I have been recently trying to complete an audit on printers.
After completing a small slice of the work by manually putting in all the information into excel and almost losing my mind, I decided to take a different approach and learn how to use powershell to save time and effort, and also prepare a much more accurate and clean document in a considerably shorter time span. I only have one problem...90% of the information is incredibly accurate, apart from the SDDL strings, which were quite cryptic.
I learned that there exists a way to translate them, via the ConvertFrom-SddlString function, but the output is still lacking the essential information I need:
- Group or Username (Example: Everyone; John Doe; All Application Packages; CREATOR OWNER; Admins; etc..)
- Permissions (Print, Manage this printer, Manage Documents, or any combination of these)
Example of the output I was trying to achieve from the SDDL strings: "[Everybody: Print; All Application Packages: Manage Documents; CREATOR OWNER: Print, Manage Documents; AdminY: Print, Manage documents, Manage this printer; AdminX: Print, Manage this printer]"
The ConvertFrom-AddlString seems to be lacking some groups, and also doesn't tell you some permissions. I tried manually writing a parser for the sddl string in powershell, but being a newbie in powershell I am finding myself quite lost.
I have scoured the internet looking for a function or some code that might be able to do just that but to no avail, and we are severely limited in programming within the company, so I cannot use any other programming languages I know to help me out.
Does anyone know if there is a way to translate the SDDL strings in a more reliable/accurate manner?
$allprintservers = (Get-ADObject -LDAPFilter "(.......)" -properties *|Sort-Object -Unique -Property servername).servername
$prntrs = @()
foreach ($printserver in $allprintservers){
$pos = $printserver.IndexOf(".")
$PrintServerName = $printserver.Substring(0, $pos)
$printers = (Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -notlike "......."}).Name
foreach ($printer in $printers) {
if ([string]::IsNullOrWhiteSpace($printer) -or $printer -like "........."){
$printer = "null"
break
}else{
$currentprinter = Get-Printer -ComputerName $PrintServerName | Where-Object {$_.Name -like $printer}
$name = $currentprinter.Name
$location = $currentprinter.Location
$comment = $currentprinter.Comment
$driverName = $currentprinter.DriverName
$sharedName = $currentprinter.ShareName
$shared = $currentprinter.Shared
$portName = $currentprinter.PortName
$permissions = (Get-Printer -ComputerName $PrintServerName -name $name -Full).PermissionSDDL
$translation = ConvertFrom-SddlString -sddl $permissions -type ActiveDirectoryRights | Select-Object -ExpandProperty DiscretionaryAcl
$translation = [string]::join("; ",($translation.Split("`n")))
}#else
$prntr = [PSCustomObject]@{
ServerName = $PrintServerName
PrinterName = $name
Location = $location
Comment = $comment
DriverName = $driverName
SharedName = $sharedName
Shared = $shared
PortName = $portName
UnTransACL = $permissions
TransACL = $translation
}#printer_CustomObject
$prntrs += $prntr
}#Foreach 2nd
}#foreach 1st
$prntrs | Export-Csv "..\..\PrinterAudit2022.csv" -Encoding UTF8
I have removed a very few select parts of the code to avoid sharing any sensitive information, but it shouldn't affect the logic of the code.