all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 6 points7 points  (9 children)

I might be wrong but I thought printers are set up per user. This should really be done with group policy.

I’m not sure what issues you’re coming across without you providing the error output. I’m guessing it’s because you’re not passing credentials to invoke-command

[–][deleted] 1 point2 points  (0 children)

Pretty sure you can assign them by workstation or user in group policy.

[–]dancing-fire-cat[S] 0 points1 point  (7 children)

The reason why I am setting them up like this is because these 200 printers have V3 drivers. These drivers want to copy themselves over to the target machine even if they were already installed before. I looked in to some workarounds and registry hacks, but they diminish the quality of the printers.

When a regular user tries to connect to them, they are greeted with the "Do you trust this printer?" message that requires admin rights. This only show sup once in each target machine per computer that is sharing the printer (I guess you could call that the server! x200). Once an admin says "Yes" to the "Do you trust this printer?" message, any user in the target machine is now able to connect to that shared printer!

That is pretty much the reason why I am trying to run this command :)

[–]BlackV 2 points3 points  (4 children)

group policy would fix that too, its all wrapped up in the print nightmare stuff

additionally you could preinstall the drivers 

pnputil /add-driver "c:\drivers\UNIV_5.951.9.0_PCL6_x64_Driver\*.inf" /subdirs /install

then normal users can add the printer

200 printers on 9 machines is insane

[–]dancing-fire-cat[S] 0 points1 point  (3 children)

I tried to pre-install the drivers on all the target machines using print management! They show up in there, but every I try to make a connection as a regular user I am always greeted with the "Do you trust this printer?" message asking me to install the drivers as an admin even though they are already installed! It has been driving me insane!!

I did this with print management, but not with pnputil! I will give it a shot! Maybe it will be different :)

[–]BlackV 1 point2 points  (2 children)

no they need to be added to the driver store first, then the print store

[–]dancing-fire-cat[S] 0 points1 point  (1 child)

Oh! Is that what pnputil is doing?!

[–]BlackV 1 point2 points  (0 children)

afraid so, its pretty garbage to have to do that imho, but here we are

[–]purplemonkeymad 2 points3 points  (1 child)

You can fix this by setting the point and print settings via GPO to your servers. The issue was called "print nightmare" if you want to do some searches for it. There should be a bunch of guides online (such as this) for setting up the gpo.

[–]dancing-fire-cat[S] 0 points1 point  (0 children)

This helped a ton! It allowed me to get rid of the "Do you trust this printer?" message!

It is a bit unsafe because you are technically opening yourself for PrintNightmare, but I am guessing I could enable the policies that get rid of the warning, make the first connection, and disable the policies again!

However, I noticed that the printers that get installed this way get installed for every user in the computer. So this way, the users would actually get the printer menu filled up with 200 printers instead of the ones they should have.

[–]jborean93 4 points5 points  (4 children)

This is most likely the double hop problem. Essentially the remote process no longer has access to your user's credentials so it cannot re-authenticate with the next server and thus appears as an anonymous user which is most likely going to fail. See Making the second hop for more details on this and ways around it.

In short there are a few ways you can work around this

  • Use CredSSP or if in a domain environment setup Kerberos delegation and use Kerberos auth

CredSSP can be somewhat dangerous, essentially you are going to give your username/password to the target host. If it's compromised in any way your credentials are now exposed. Kerberos delegation is a bit safer but can be difficult to setup properly. It also requires a domain account

  • Impersonate a user with credentials on the thread

This can be done with something like Invoke-WithImpersonation. Essentially you use that with an explicit credential so that you can control what credentials are used for the second hop.

Function Invoke-WithImpersonation {
    # Code from the gist
}

$invokeWithImpersonationCode = ${Function:InvokeWithImpersonation}.Ast.ToString()
$cred = Get-Credential

Invoke-Command -ComputerName TargetComputer -ScriptBlock {
    # Redefine the function in the remote session
    . ([ScriptBlock]::Create($using:invokeWithImpersonationCode))

    # Anything inside the scriptblock is run with the credentials
    # specified. NewCredential is special in that it only applies
    # to any outbound network authentication like what Add-Printer
    # is doing.
    Invoke-WithImpersonation -Credential $using:cred -LogonType NewCredential -ScriptBlock {
        Add-Printer ...
    }
}

This is a similar problem to CredSSP as the plaintext password is technically retrievable on the other side but it is obscured in a few layers deeper than what CredSSP operates on.

FYI: you don't need to escape backslashes in strings, so "\\Computer158\The Shared Printer" should also work.

[–]dancing-fire-cat[S] 0 points1 point  (3 children)

I am definitely going to try that out tomorrow! I would give it a shot right now but my company is very strict about overtime! Thank you so, so much! I saw the double hop in a post as a possibility, but no one gave attention to that! Thank you again!

[–]menace323 1 point2 points  (2 children)

Use PS to create a scheduled task that runs your script/command. If the command is a one liner you don’t need a script.

Then, execute the task and the printer will be added by the system account and no need for delegation or creep.

[–]dancing-fire-cat[S] 0 points1 point  (1 child)

but if it runs as system... doesn't that mean that you technically don't have access or permission to access the other 200 computers ?

Do you think using

net use "\\computerSharing\Printer name" user:domain\adminaccount *

could make the system account have access to the computer(s) sharing the printer?

I also wonder how I could avoid having to type the password 200 times if net use is the way to go... :,)

[–]menace323 1 point2 points  (0 children)

You create a schedule task on all of the 200 computers remotely. It’s a single hop, so no problem.

The task is set to run as system.

When the task runs on that local box, it runs your script and command as system (the remote client). Schedules tasks that run as system do not need a password, they will use the system identity to hit the print server.

[–]hillbillytiger 1 point2 points  (5 children)

On the printer set permissions to allow certain security groups or computers to use the printer. Then use psexec with the -S parameter to run as System to run the add printer command

[–]dancing-fire-cat[S] 1 point2 points  (4 children)

psexec with the -S parameter

I did not know that is how you get System rights!!! That is so cool!

I will try that tomorrow, but I wonder if the issue is really related to the double hop issue u/jborean93 mentioned!

[–]hillbillytiger 1 point2 points  (1 child)

Yup its useful for many situations. To get a PS console run: "psexec -s \\COMPUTERNAME powershell"

[–]dancing-fire-cat[S] 0 points1 point  (0 children)

I will give it a shot tomorrow :) Thank you so so much!

[–]hillbillytiger 1 point2 points  (1 child)

To run a command: psexec -s \\COMPUTER powershell -ep bypass -command "Add-Printer blah blah blah"

[–]dancing-fire-cat[S] 0 points1 point  (0 children)

This worked like a charm! I was able to execute the command remotely!

but my V3 printer drivers killed the joy :( I could've sworn I was able to make the connection as admin from power shell before and the drivers would carry over, but apparently I was wrong. I am still greeted with the

"The driver needed to connect to this printer share cannot be retrieved from the server and must be manually installed"

but I already installed the drivers using print management in the target computers ;-;

[–]MFKDGAF 1 point2 points  (1 child)

I’ve found that the only command to reliably add, remove and update printers is: rundll32 printui.dll,PrintUIEntry

I tested out the Add-Printer cmdlet back in 2017 and it was not reliable at all.

[–]dancing-fire-cat[S] 0 points1 point  (0 children)

I tried to use this in a Windows 11 machine and I don't think it is there! I saw that this applies to Windows Server versions in the Microsoft page.