ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    GPP - Deploying Printers To AD Group

    Scheduled Pinned Locked Moved IT Discussion
    gpogppserver 2012 r2printers
    30 Posts 6 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wrx7mW
      wrx7m @black3dynamite
      last edited by

      @black3dynamite Under security filtering, I first tried authenticated users. Next, I tried the CheckPrintersUsers group and adding the authenticated users with read permissions to the Delegation tab. Right now, it is setup with both groups in the Delegation tab as Read and Authenticated users in security filtering.

      1 Reply Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce @wrx7m
        last edited by

        @wrx7m said in GPP - Deploying Printers To AD Group:

        @obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

        What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

        Okay, there's 3 aspects to this:

        1. Group Policy
        2. Group Policy Targeting
        3. Printer Permissions
        • Printer Permissions:
          • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
        • Group Policy:
          • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
            • Action = Update
            • Share Path = \\printserver\Printername (click the browse button to find it)
        • Group Policy Targeting:
          • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
          • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
          • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.
        wrx7mW 1 Reply Last reply Reply Quote 2
        • wrx7mW
          wrx7m @Obsolesce
          last edited by

          @obsolesce said in GPP - Deploying Printers To AD Group:

          @wrx7m said in GPP - Deploying Printers To AD Group:

          @obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

          What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

          Okay, there's 3 aspects to this:

          1. Group Policy
          2. Group Policy Targeting
          3. Printer Permissions
          • Printer Permissions:
            • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
          • Group Policy:
            • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
              • Action = Update
              • Share Path = \\printserver\Printername (click the browse button to find it)
          • Group Policy Targeting:
            • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
            • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
            • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

          Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

          ObsolesceO 1 Reply Last reply Reply Quote 0
          • wrx7mW
            wrx7m
            last edited by

            When item-level targeting is enabled, the RSOP shows that the GPO is applied, but doesn't go into detail beyond that. I guess the item-level targeting-specific info doesn't show up on the RSOP.

            1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @wrx7m
              last edited by

              @wrx7m said in GPP - Deploying Printers To AD Group:

              @obsolesce said in GPP - Deploying Printers To AD Group:

              @wrx7m said in GPP - Deploying Printers To AD Group:

              @obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

              What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

              Okay, there's 3 aspects to this:

              1. Group Policy
              2. Group Policy Targeting
              3. Printer Permissions
              • Printer Permissions:
                • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
              • Group Policy:
                • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
                  • Action = Update
                  • Share Path = \\printserver\Printername (click the browse button to find it)
              • Group Policy Targeting:
                • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
                • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
                • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

              Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

              Don't know... that's how i've done it and it works without Authenticated users group in there.

              What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?

              wrx7mW 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m @Obsolesce
                last edited by

                @obsolesce said in GPP - Deploying Printers To AD Group:

                @wrx7m said in GPP - Deploying Printers To AD Group:

                @obsolesce said in GPP - Deploying Printers To AD Group:

                @wrx7m said in GPP - Deploying Printers To AD Group:

                @obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

                What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

                Okay, there's 3 aspects to this:

                1. Group Policy
                2. Group Policy Targeting
                3. Printer Permissions
                • Printer Permissions:
                  • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
                • Group Policy:
                  • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
                    • Action = Update
                    • Share Path = \\printserver\Printername (click the browse button to find it)
                • Group Policy Targeting:
                  • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
                  • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
                  • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

                Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

                Don't know... that's how i've done it and it works without Authenticated users group in there.

                What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?

                I tried that too. Does not work 😞

                1 Reply Last reply Reply Quote 0
                • wrx7mW
                  wrx7m
                  last edited by

                  If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.

                  dbeatoD 1 Reply Last reply Reply Quote 1
                  • dbeatoD
                    dbeato @wrx7m
                    last edited by

                    @wrx7m said in GPP - Deploying Printers To AD Group:

                    If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.

                    That's because the computer needs to read the printer before the user can, which is why Authenticated users is used on GPOs as well to be applied.

                    1 Reply Last reply Reply Quote 0
                    • wrx7mW
                      wrx7m
                      last edited by

                      I'm guessing I should create a group of computers then, too.

                      1 Reply Last reply Reply Quote 1
                      • DashrenderD
                        Dashrender @wrx7m
                        last edited by

                        @wrx7m said in GPP - Deploying Printers To AD Group:

                        @black3dynamite said in GPP - Deploying Printers To AD Group:

                        Can't someone just connect directly to the printer and bypass your lockdown share printer?

                        Not if I enable the ACL/firewall on the printer.

                        what printer has that?

                        wrx7mW 1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce
                          last edited by

                          Yeah I'm lost now... sounds like a lot of adding/removing general groups that I never had to do.

                          Remove/delete the printer and GPOs and start over IMO.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender
                            last edited by

                            I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

                            1 Reply Last reply Reply Quote 0
                            • wrx7mW
                              wrx7m @Dashrender
                              last edited by

                              @dashrender HP LaserJet Enterprise M609dn

                              1 Reply Last reply Reply Quote 0
                              • wrx7mW
                                wrx7m
                                last edited by

                                @dashrender said in GPP - Deploying Printers To AD Group:

                                I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

                                If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.

                                ObsolesceO 1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce @wrx7m
                                  last edited by

                                  @wrx7m said in GPP - Deploying Printers To AD Group:

                                  @dashrender said in GPP - Deploying Printers To AD Group:

                                  I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

                                  If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.

                                  Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.

                                  wrx7mW 1 Reply Last reply Reply Quote 1
                                  • wrx7mW
                                    wrx7m @Obsolesce
                                    last edited by

                                    @obsolesce said in GPP - Deploying Printers To AD Group:

                                    @wrx7m said in GPP - Deploying Printers To AD Group:

                                    @dashrender said in GPP - Deploying Printers To AD Group:

                                    I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

                                    If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.

                                    Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.

                                    Yeah, per my previous post, that is what I am doing, as it seems that the GPO needs the computer accounts to have access to the shared printer in order to apply the GPP.

                                    ObsolesceO 1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @wrx7m
                                      last edited by Obsolesce

                                      @wrx7m said in GPP - Deploying Printers To AD Group:

                                      @obsolesce said in GPP - Deploying Printers To AD Group:

                                      @wrx7m said in GPP - Deploying Printers To AD Group:

                                      @dashrender said in GPP - Deploying Printers To AD Group:

                                      I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

                                      If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.

                                      Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.

                                      Yeah, per my previous post, that is what I am doing, as it seems that the GPO needs the computer accounts to have access to the shared printer in order to apply the GPP.

                                      The GPO applies to the computer regardless of the printer permissions. GPO permissions are completely separate and different from the printer permissions on the print server. I was unsure which you were talking about sometimes.

                                      The shared printer permissions on the print server must allow the computer (and user) access for it to be "installed" on the computer.

                                      You don't need to touch the GPO permissions. Just make sure it's applied to Authenticated Users, and linked in Group Policy above the users and computers it shoudl apply to. The "targeting" option within the GPP for that shared printer takes care of who the GPO applies to.

                                      Perhaps you already knew this and I was just unclear which "permissions" you were referring to sometimes.

                                      wrx7mW 1 Reply Last reply Reply Quote 1
                                      • wrx7mW
                                        wrx7m @Obsolesce
                                        last edited by wrx7m

                                        @obsolesce Right, I am having to add a group of computers to the printers' security permissions with allow printing enabled to get the GPP to actually deploy the printer to the user.

                                        UNC pathing to the printer by a member of the PrintersChecksUsers (while the user is logged in) allows them to install and print to the printer.

                                        The GPO shows as applied in the RSOP, but with item level targeting, I don't see any info on why it wasn't actually installed/applied. Maybe it shows it somewhere else.

                                        The key is the shared printer's security tab on the print server, itself. That is where I have to allow the specific group of computers, as well as the specific group of users. I need both, the computers and users groups to have at least printing allowed.

                                        1 Reply Last reply Reply Quote 0
                                        • 1
                                        • 2
                                        • 2 / 2
                                        • First post
                                          Last post