Set Manage Documents permission on a Print Server.

Set-ManageDocumentsPermission.ps1

# Get the SID of the group to give Permissions to.
$sid = ([System.Security.Principal.NTAccount]"DOMAIN\GROUPNAME").Translate(
    [System.Security.Principal.SecurityIdentifier]
)

# Build an Access Control Entry object giving the group the Manage Documents permission.  983088 is the access mask for Manage Documents only.
$ace = New-Object -TypeName System.Security.AccessControl.CommonAce -ArgumentList @(
    @([System.Security.AccessControl.AceFlags]::ObjectInherit, [System.Security.AccessControl.AceFlags]::InheritOnly), [System.Security.AccessControl.AceQualifier]::AccessAllowed, 983088, $sid, $false, $null 
)

# Build a Raw Security Descriptor Object from the binary data stored in the registry key property.
$rawSecurityDescriptor = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList @(
    (Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor), 0
)

# Insert the ACE into the ACL.
$rawSecurityDescriptor.DiscretionaryAcl.InsertAce(
    $rawSecurityDescriptor.DiscretionaryAcl.Count, $ace
)

# Convert the modified ACL back to binary.
[Void][Byte[]]$bytes[$rawSecurityDescriptor.BinaryLength]
$rawSecurityDescriptor.GetBinaryForm(
    $bytes, 0
) 

# Write the data back to the registry.
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Print -Name ServerSecurityDescriptor -Value $bytes

# Restart the Print Spooler.
Restart-Service -Name Spooler