Non-admin Printer Setup?

Paul,

Thank you for all you time and effort in looking at this issue.

From reading your postings I thought that maybe the problem was due to the rights granted by the AD to the network user and this was challenging the creation of the queue.

So I repeated the test, this time the authentication was being done using Directory Access > AD to a 2003 SP1 server. The client was just a basic user account, no network or local home folder creation, just simply an authentication to the network. However this account was also able to add a local printer without having to authenticate.

This was one area I was not able to test as I don't have any AD/OD set up here. I thought that the cupsd on the client machine should still obey the cupsd.conf on that machine regardless of AD/OD. I'm glad that you were able to test this aspect.

So I have a couple of questions as I'd like to play with this some more.
. . .
2. I read that your 10.5 install was an upgrade from the 10.4 image. Is this correct? If yes, have you tried a clean Leopard install? Just concerned we could have some Tiger left-overs, like the AD plug-in...

I was also a bit concerned about the upgrade of 10.4 vs a clean install. I further wondered if the upgrade of CUPS to 1.3.5 was causing problems even though it uses the same configuration file. I had upgraded my test machine to CUPS 1.3.5 and did not have any prolbems, however. Incidently, the 10.5.2 updater will install CUPS 1.3.5, so perhaps a clean install and updating to 10.5.2 might be an avenue to explore.

Matt

You need to have an admin to do it easily. Period. Get an admin to do it for you.

Users should have the right to add and delete their own printers as they did in previous versions of the OS.

This should be permitted by default. If the admin then chooses to restrict the users from adding or removing printers that should be a setting that can be changed.

I still had a locked System Pref panel when it came to adding printers after modifying the cups file. So I made an alias of the System:Library:CoreServices:AddPrinter.app and placed it in the Utilities folder. Users can access it from there. They can add printers but not delete them.

Hey, it's better than nothing, right?

Oh and the worthless frickin' help file tells the user that if they are being asked for an admin password to add a printer it is because the system administrator is restricting them. BS, it is due to Apple trying to tell me how to run my network environment.

Hey, not bad!

But did you know, you can invoke this Tool ("AddPrinter") just by selecting "Add Printer ..." at the "Printer:"-popup-menu in every "Print ..."-dialog-window?

Still no chance to delete old printers, but at least a further way to add a new one.

+"... I feel sorry for the poor guy, who has to clean up the mess in the future... 😉"+

i was reading through this thread, incredibly informative by the way, but it ended with one begging question. if it is possible for apple to allow or disallow managed users from administrating printers, and if it is as easy as editing a few lines of code, shouldn't it be just as easy to add a button allowing or disallowing managed users from adding new printers? (notice i said add and not add/remove)

just my two cents...

I wish my company had the purchasing clout of say, a NY school district, so that we could tell Apple that we're placing our current orders on hold until this issue was addressed. If we upgraded to Leopard we'd have over 200 users unable to add and remove printers without going into CUPS. Our Windows counterparts running XP however, can add and remove printers even with a more locked down desktop.

Leopard is a step backwards in this area!! Under Parental Controls I believe you have the option to allow users to add and remove printers or administrate them anyway, forget how it works now.

In Leopard Server you have the option to allow users to add and remove printers I believe for 10.4.x clients and below. I don't understand why they are restricting 10.5.x clients?? This hurts enterprise customers severely!

You can also give access to add printers this way:
Edit /etc/cups/cupsd.conf with pico or something or through the cups webpage at http://localhost:631/admin and click edit configuration file and then edit the following to match:

<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
# AuthType Default
# Require user @SYSTEM
Require valid-user
Order deny,allow
</Limit>

Then the trick to add a printer:..........
In any application when you do a File, Print select Add Printer from the the printer drop down menu and add the printer you want.

To remove a printer:
Again... http://localhost:631/printers/


Hopefully that helps!!

Just to mention someone else mentioned about doing the following, but I don't fully agree with it:

<Limit CUPS-Add-Modify-Printer CUPS-Set-Default>
Order allow, deny
Allow all
</Limit>

Thanks,

Dan

Message was edited by: Daniel Ball

Thanks Daniel. I followed your config instructions and was able to edit the CUPS server on a couple of our workstations to allow our end users to add and remove printers. I believe I had read elsewhere that an OS update will reset the CUPS server... does that sound right?

You're right, this is a step in the wrong direction as far as I'm concerned and it sure doesn't help enterprise customers.

At best I just added all our printers and then educate my teachers on where to print.

It *****, but there is nothing you can really do about it. I looked at some of the files that the local parent controls make and here is one...

com.apple.mcxprinting.plist

and in it you will find:

RequireAdminToAddPrinters Boolean NO/YES

now the only thing missing in a Portable home directory and a standard local account that is enabled with printing is that local hook to enable parent controls.

Adding these values to WGM do not work...

I now have a user running 10.5 that cannot delete jobs in his print queue without an admin password. It's been a tremendous amount of work having to add/delete printers for 350 users, I don't know if our IT department will survive having to remove print queue jobs as well.

<Edited by Moderator>

We're about a third of the way through our OS X 10.5 roll outs for about 200 Macs. Early on there was a CUPS config modification that was a workaround to this issue, but it seems the 10.5.4 and Security update 2008-005 have broke it. Information on a new workaround can be found here:

https://doc.ikw.uni-osnabrueck.de/node/2662

As an Apple Enterprise customer, I can't tell you how disappointing it is to have to dig around for temporary workarounds like this. Add to that, our Apple rep insists that this was a feature request from end users. For the 99% of Macs out there with one account with admin rights and one USB printer plugged in, I'm sure it's not an issue. But when you have 200, 300, 500 or 1,000 Macs to manage, each with a host of networked printers, it's inexcusable not to allow non-admins the ability to add and delete printers.

Just to update my own post, the addition of the "Require valid-user" string in the CUPS config file doesn't appear to work anymore (post 10.5.5 update). Another recommendation is to completely remove the section under # <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>

http://mattson.edgemereroadrunners.com/?p=291

Is this whole "must be an admin to add or delete printers" business a bug or a purposeful change on Apple's part?