I worked on a print server queue permissions delegation today and had some learnings. I was trying to grant a new group to manage printers on a Windows server 2008 print server and after adding the group to print server security permissions, it is not propagated to print queues in that print server. I was surprised because, the other permissions that are defined at the print server level are propagated to print queues and I am able to see them on each printer.
After trying a few things, I figured out that there is no concept of permissions inheritance from print server to print queue. That means the permissions you define on the print server object in print management console will not propagate to print queues under that print server. There is no concept of permissions inheritance. But the point to note here is, print queue gets the ACLs from print server at the time of creation. That means, if I add a new group to print server object security properties, it will be applied to new printers created thereafter. You have to update the new group manually on the existing printers.
I am not happy with this kind of behaviour in print server management console. Ideally, they should have allowed the print queues to get permissions from the printer object. I searched a bit on this behaviour but couldn’t find any details.
While I am in the course of determining why it is behaving like this, I came across a few useful resources for delegating printer permission to at granular level. You might want some group of admins to only clear/pause/resume the queues and other group to change the printer properties as well. Such kind of granular permissions can be granted.
Refer to this link http://technet.microsoft.com/en-us/library/ee524015%28v=ws.10%29.aspx on details on how to grant granular permissions to manage the printers.