Home Library Learn Downloads Support Community
Sign in | United States - English | |
This topic has not yet been rated - Rate this topic

SetSecurityDescriptor method of the Win32_Printer Class

Applies to: desktop apps only

The SetSecurityDescriptor method writes an updated version of the security descriptor that controls access to the printer. The security descriptor is an instance of the Win32_SecurityDescriptor class. For more information, see Changing Access Security on Securable Objects.

Syntax

Copy 
uint32 SetSecurityDescriptor(
  [in]  Win32_SecurityDescriptor Descriptor
);

Parameters

Descriptor [in]

The security descriptor that is associated with the printer.

Return value

Return codeDescription
0

Successful completion.

2

The user does not have access to the requested information.

8

Unknown failure.

9

The user does not have adequate privileges to execute the method.

21

A parameter specified in the method call is not valid.

 

Remarks

The Win32_SecurityDescriptor instance represents a SECURITY_DESCRIPTOR_CONTROL data type and contains a discretionary access control list (DACL) and a system access control list (SACL). For more information, see Access Control Lists.

If the SeSecurityPrivilege is not granted or enabled when getting a security descriptor, then only the DACL is returned in the returned security descriptor. For more information, see Privilege Constants and Executing Privileged Operations.

You can update both the DACL and the SACL in the Win32_SecurityDescriptor instance when calling this method, but you can also update only the DACL or only the SACL.

The following values in SECURITY_DESCRIPTOR_CONTROL determine whether the DACL, the SACL, or both are updated.

  • SE_DACL_PRESENT

    Indicates that the DACL should be updated. If this is not set then WMI preserves the original value of the DACL.

  • SE_SACL_PRESENT

    Indicates that the SACL should be updated. If this is not set, then WMI preserves the original value of the SACL. To update the SACL, the account must have the SeSecurityPrivilege privilege enabled. For scripting, the privilege name is SeSecurityPrivilege. For more information, see Privilege Constants.

If the Group trustee and the Owner trustee properties are not NULL, then they are updated. Otherwise, WMI preserves the original values. For more information, see WMI Security Descriptor Objects.

When a new SACL is NULL in a call to this method, then the security descriptor SACL on the target securable object is left unchanged.

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2008

Namespace

\root\CIMV2

MOF
Cimwin32.mof

DLL
Cimwin32.dll

See also

Win32_Printer
Privilege Constants
WMI Security Descriptor Objects
Changing Access Security on Securable Objects

 

 

Send comments about this topic to Microsoft

Build date: 3/9/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Example script in PowerShell 1.0 
  
# Specify the user or group
$user = "everyone"
# create instances of necessary classes
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_Ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
# Translate a name of user or group to SID
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])
# Get binary form from SID and byte Array
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
# Fill Trustee object parameters
$Trustee.Name = $user
$Trustee.SID = $SIDArray
# Set AccessMask which can contain following values:
# Takeownership - 524288
# ReadPermissions - 131072
# ChangePermissions - 262144
# ManageDocuments - 983088
# ManagePrinters - 983052
# Print + ReadPermissions - 131080
$ace.AccessMask = 983052
# Set AceType. Can be 0 (Allow), or 1 (Deny), or 2 (System Audit)
$ace.AceType = 0
$ace.AceFlags = 0  

  
# Write Win32_Trustee object to Win32_Ace Trustee property
$ace.Trustee = $Trustee
# Write Win32_Ace and Win32_Trustee objects to SecurityDescriptor object
$SD.DACL = $ace
# Set SE_DACL_PRESENT control flag
$SD.ControlFlags = 0x0004
# Get printer object. For example 'CutePDF Writer' printer object
$Printer = gwmi win32_printer -filter "name = 'CutePDF Writer'"
# Enable SeSecurityPrivilege privilegies
$Printer.psbase.Scope.Options.EnablePrivileges = $true
# Invoke SetSecurityDescriptor method and write new ACE to specified
# printer ACL.
$Printer.SetSecurityDescriptor($SD)
History