dotps1/Set-ManageDocumentsPermission.ps1

## Set-ManageDocumentsPermission.ps1
# Get the SID of the group to give Permissions to.
$sid = ([System.Security.Principal.NTAccount]"DOMAIN\GROUPNAME").Translate(
    [System.Security.Principal.SecurityIdentifier]
)

# Build an Access Control Entry object giving the group the Manage Documents permission.  983088 is the access mask for Manage Documents only.
$ace = New-Object -TypeName System.Security.AccessControl.CommonAce -ArgumentList @(
    @([System.Security.AccessControl.AceFlags]::ObjectInherit, [System.Security.AccessControl.AceFlags]::InheritOnly), [System.Security.AccessControl.AceQualifier]::AccessAllowed, 983088, $sid, $false, $null
)

# Build a Raw Security Descriptor Object from the binary data stored in the registry key property.
$rawSecurityDescriptor = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList @(
    (Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor), 0
)

# Insert the ACE into the ACL.
$rawSecurityDescriptor.DiscretionaryAcl.InsertAce(
    $rawSecurityDescriptor.DiscretionaryAcl.Count, $ace
)

# Convert the modified ACL back to binary.
[Void][Byte[]]$bytes[$rawSecurityDescriptor.BinaryLength]
$rawSecurityDescriptor.GetBinaryForm(
    $bytes, 0
)

# Write the data back to the registry.
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor -Value $bytes

# Restart the Print Spooler.
Restart-Service -Name Spooler
	# Get the SID of the group to give Permissions to.
	$sid = ([System.Security.Principal.NTAccount]"DOMAIN\GROUPNAME").Translate(
	[System.Security.Principal.SecurityIdentifier]
	)

	# Build an Access Control Entry object giving the group the Manage Documents permission. 983088 is the access mask for Manage Documents only.
	$ace = New-Object -TypeName System.Security.AccessControl.CommonAce -ArgumentList @(
	@([System.Security.AccessControl.AceFlags]::ObjectInherit, [System.Security.AccessControl.AceFlags]::InheritOnly), [System.Security.AccessControl.AceQualifier]::AccessAllowed, 983088, $sid, $false, $null
	)

	# Build a Raw Security Descriptor Object from the binary data stored in the registry key property.
	$rawSecurityDescriptor = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList @(
	(Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor), 0
	)

	# Insert the ACE into the ACL.
	$rawSecurityDescriptor.DiscretionaryAcl.InsertAce(
	$rawSecurityDescriptor.DiscretionaryAcl.Count, $ace
	)

	# Convert the modified ACL back to binary.
	[Void][Byte[]]$bytes[$rawSecurityDescriptor.BinaryLength]
	$rawSecurityDescriptor.GetBinaryForm(
	$bytes, 0
	)

	# Write the data back to the registry.
	Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor -Value $bytes

	# Restart the Print Spooler.
	Restart-Service -Name Spooler