When administering a Windows Print Server you might encounter the Account Unknown(S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422) followed by a very long SID. If you are used to administering an Active Directory or a File System you know that some permissions were set and the object was deleted afterward. So, naturally, you clicked the Remove button and Apply like you are used to doing.
Now users are calling you, and tickets are starting to appear in your favorite ticketing tool about some funky Prints that go to limbo, especially if they are images printed from Windows Photos. After some thougths, you remember that unknown account you deleted a few weeks back: the great and beautiful S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422. Naturaly, your first thought is to add it back. Nope, it doesn’t translate…
After some hair loss and nights without sleep, you decide to use ProcessMonitor. You analyze what happens when you click the Apply button and notice a strange addition to the registry:HKLM\System\CurrentControlSet\Control\Print\ServerSecurityDescriptor
Now you sense that you are onto something and decide TO PRUNE THE FUCKING REGISTRY DATA LIKE YOU ARE THE TVARemove-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Print -Name "ServerSecurityDescriptor"
One more step, restart the Spooler:Restart-Service Spooler
Guess who is back in the Print Server Properties?
For those who read until here, that SID is a capability SID used by Universal Windows Platform (UWP) apps like Windows Photos. Don’t delete it again.
Please note that you might have some recently created printers that don’t have the SID since you created them after the SID’s deletion. You need to copy SDDL Permissions from a printer with the SID to the ones without it and adjust ACL accordingly:$perm = (Get-Printer "Source Printer" -Full).PermissionSDDL
Set-Printer -Name "Destination Printer" -PermissionSDDL $perm
Here is the only Microsoft documentation I was able to find about Capability SID -> Some SIDs don’t resolve into friendly names – Windows Server | Microsoft Learn