It's been awhile since I've messed around with Access Masks, I found a script online that I was able to change around for my purposes but in this script it sets the permissions as manage documents 268435456 I need to convert this to full permissions. Any idea on what access mask I should be using? Portion of code is below:
# Give 'Users' the 'Manage Documents' permission:
$SecurityDescriptor.DiscretionaryAcl.AddAccess(
'Allow', # AccessControlType
([System.Security.Principal.NTAccount] 'stephen.lyons.sa').Translate(
[System.Security.Principal.SecurityIdentifier]
),
268435456, # AccessMask
'ContainerInherit, ObjectInherit', # InheritanceFlags
'InheritOnly' # PropagationFlags
Decimal 268435456 (hex 0x10000000) is a generic right (GENERIC_ALL or GA for short) that means full control. Generic rights are called generic because they mean the same thing no matter what the securable object is--sort of a short hand for different securable objects.
Printer rights are trickier than file system and registry rights because 'documents' don't seem to be 'child containers' or 'child objects' only... instead they're some combination of both.
When I apply that access mask to a printer and set it to apply to child objects and child containers only (like you're doing in your example), the GUI does in fact show Manage Documents.
If you want to get super specific and use printer-specific rights instead of generic rights, you could add two ACEs with these access masks and flags:
# AdministerJob, Delete, ReadJob, ChangePermissions, TakeOwnership
AccessMask: 983088 (hex 0x000F0030)
InheritanceFlags: ObjectInherit
PropagationFlags: InheritOnly
# ReadPermissions
AccessMask: 131072 (hex 0x00020000)
InheritanceFlags: ContainerInherit
PropagationFlags: InheritOnly
To figure that out, I cheated and used the GUI to set the Manage Documents right, then went back and looked at it using the command line.
You were asking about full control, though. If I go back and use the second method (make a change in the GUI, then go look at the security descriptor), I see these two ACEs:
# PrinterFullControl
AccessMask: 983052 (hex 0x000F000C)
InheritanceFlags: None
PropagationFlags: None
# AdministerJob, Delete, ReadJob, ChangePermissions, TakeOwnership
AccessMask: 983088 (hex 0x000F0030)
InheritanceFlags: ObjectInherit
PropagationFlags: InheritOnly
Try those two out and see if the GUI reports what you were looking for. I used the GUI to add an ACE with all the checkboxes checked, so if that's not what you were looking for, this might need to be tweaked some more.