Applies to: Centrify DirectControl on Mac OS X
Whenever an Active Directory user tries to pause/stop the print jobs on a Mac, they get an error stating that they need to be part of a printer operator group.
Apple added a feature in OS X 10.5 (Leopard) and up which restricts non-administrator users from managing printers on their Macs.
While this is desired behavior on public machines, it is a problem for single user machines such as faculty, staff.
By default in Leopard, a non-admin user cannot add or remove printers. They are also not able to hold or resume print jobs. This is a problem if users are to be able to add printers themselves, such as when they bring their laptops home. In Mac OS X 10.5.7 and later, access to add or delete network printers on a client computer is controlled by membership in the _lpadmin group.
Members of this local group on the Mac have the ability to to add and delete printers.
To a give a network user the ability to add or delete network printers on a workstation, add the user or user's group to the workstation's local _lpadmin group:
1) Create an AD group and populate this group with users who need printer access on their machines.
2) If the Mac systems are joined in Zone Mode, add the AD group into the Zone and give it a UNIX name.
3) Enable the Group Policy at:
Computer Configuration / Centrify Settings / Mac OS X Settings / Accounts / "Map zone groups to local group"
4) Enter the local group name: _lpadmin
5a) If the Mac systems are joined in Auto Zone mode, then use the browse button and search for the AD group of printer users:
5b) If the Mac systems are joined in Zone Mode, then enter the UNIX name of the AD group.
6) Once the GP has been set up, go the Mac and force a refresh of the group policies and also the user group memberships:
7) Once the GPs and user group memberships have been updated, the next time a member of the Mac printer group logs in, they will have printer access on that machine.
If Group Policies cannot be used, then users can also be added into the _lpadmin group via command line:
1. First verify the UNIX group name of the printer group that the user is part of by running the command on the Mac:
adquery user -G username
(Where username is the AD username of a member of the printer user group)
2. Make a note of the appropriate group name returned (in the examples below, the groupname "macprint" is used) and use one of the following commands according to the version of OS X used:
OS X 10.5:
sudo dseditgroup -o edit -a macprint -t group lpadmin
OS X 10.6 and higher:
sudo dseditgroup -o edit -a macprint -t group _lpadmin
None. This is a feature within Apple OS X.