Took me quite a while to get this figured out, so might as well add to the pool of searchable Google results.

Problem: You have a clustered print/file server running Server 2008/R2 and you must make NTFS security changes to each printer.  You want to allow the IT Helpdesk people to manage documents.  You have 200+ printers.  Doing them one-by-one leads you to thoughts of suicide or worker's comp from limb amputation.

Solution: Quick little Powershell/subinacl combo! (see below)

Key things I learned in this was that WMI is not really supported for clustering, win32_clustershare was accidentally left out of Server 2008 SP2, and that a cluster's 'shares' are only visible on the active node (obviously, in hindsight).


If anyone has suggestions to better the script, please post them.  I am pretty new to scripting (the act of, not knowledge of).  Some limitations I know of already are that it doesn't check for existing permissions - if existing permissions are present, it deletes them and then adds in the new permission set, even if they are identical.


  1. Hotfix (KB971403) if running 2008 SP2 (requires reboot)
  2. 'subinacl.exe' with correct path (or updated script path)
  3. Script contents in a .PS1 file
  4. Ability to run scripts on the server
  5. Script must be run on the 'Active' node in the cluster
  1. # Mass printer security change, Chris Trotter, April 2012
  2. # Set the 'shares' variable, type '1' is a printer object
  3. $shares = gwmi -query "select * from win32_clustershare where type='1'" | select Name
  4. # Loop that applies each actual share path into the subinacl.exe arguments
  5. # Note also that the AD domain\group and security level (M) are hard-coded
  6. foreach($objitem in $shares){c:\scripts\subinacl.exe /printer $ /grant="testlab.local\IT Helpdesk Print Queue Management"=M}


Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

Fixing duplicate SPNs (service principal name)

Logstash to Nagios - alerting based on Windows Event ID