Active Directory groups and printer administration in 10.5

Background: Our printing system is a Pharos Systems Uniprint rig, with multiple release locations spread across campus. Students can print to the universal queue from any lab or classroom machine, or from any appropriately-configured personal machine, then release their job from the printer.

Internally, the OS X setup spools the job to a local queue, which then feeds the job out to “printer” (in this case, the Uniprint queue). Lately, we’ve been seeing a number of queues on lab machines become paused. They simply accumulate jobs locally without ever feeding them out to Uniprint.
Using the CUPS Web interface (http://localhost:631/), I was able to determine that the relevant error was a complaint from OS X that it couldn’t get a public key from the server. This is a Uniprint problem that I’m still working on resolving. Since the problem remains, I need our lab SCs to be able to manipulate printer settings, which requires administrator rights.
Fortunately, our SCs are part of a particular AD group just for them. So I added their Active Directory group to our lab machines using Apple Remote Desktop to execute the following command as root:
dseditgroup -o edit -n /Local/Default -a student\ consultants -t group lpadmin
This creates a nested group in _lpadmin, and allows its members admin privileges so that they can clear stuck jobs. They still have to sit down at the machine and log in, but at least it’ll let the machines go back to printing.