Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / How to Deploy Printers to Users/Groups/Computers with GPO?

November 5, 2019 Active DirectoryGroup PoliciesWindows 10Windows Server 2016

How to Deploy Printers to Users/Groups/Computers with GPO?

Let’s look at how to automatically install and connect printers to specific users, computers and groups in an Active Directory domain using Group Policy (GPO). It is very convenient when available (assigned) printers are automatically installed and connected when a user first logs on to a domain computer.

Consider the following configuration: there are 3 departments in the organization. Users of each department must print documents on their own color shared network printer. As an administrator, you have to configure the automatic deployment of network printers for users depending on their department.

Contents:
  • Deploying Printers to Users via Group Policy
  • Configuring Point and Print Restrictions Policy to Install Printers

This guide assumes the use of Group Policy Preferences – an extension of the GPO that introduced in Windows Server 2008. The instruction will be applicable for AD environment with the domain level of at least Windows Server 2008, and clients at least Windows XP SP3 and newer.

Deploying Printers to Users via Group Policy

Create three new security groups in AD (SharedPrinter_Sales, SharedPrinter_IT, SharedPrinter _Managers) and add the department users to them (you can automatically add users to domain groups by following the article “Creating a Dynamic Group in Active Directory”). You can create groups in the Active Directory Users & Computers console or using the New-ADGroup cmdlet:

New-ADGroup "SharedPrinter_Sales" -path 'OU=Groups,OU=Paris,DC=woshub,DC=com' -GroupScope Global –PassThru

  1. Run the domain Group Policy editor (GPMC.msc), create a new policy print_AutoConnect and link it to the OU with the users. How to Install Drivers and Deploy Printers to Domain Users / Computers with Group Policy?
    If you have a small number of shared network printers in your domain (up to 30-50), you can configure them using single GPO. If you have a complex domain structure and you are delegate some AD administration tasks to branch administrators, it is better to create several printer deployment policies. For example, one policy for each AD site or OU.
  2. Go to the policy-editing mode and expand the User Configuration -> Preferences -> Control Panel Setting -> Printers. Create a new policy item by select New -> Shared Printer;
    If you want to connect a printer by IP address (directly, without a print server), select TCP/IP Printer.
    GPO to connect shared printer device
  3. Specify Update as an action. In the Shared Path field, enter the UNC address of your printer, for example, \\srv-par-print\hpsales (in my case all printers are connected to the centralized print server \\srv-par-print). Here you can specify whether to use this printer as the default printer; connect shared printer from print-server via GPO
  4. Go to the Common tab and specify that the printer must be connected in the current user context (Run in logged-on user’s security context). Also check the Item-level targeting option and click Targeting.
  5. Using GPP targeting, you must specify that the policy is to be applied only for SharedPrinter_Sales group members. To do it, go to New Item -> Security Group and enter SharedPrinter_Sales as a group name. printer deployment targeting: specify AD security group to deploy printers
    Please note that this restriction doesn’t prevent a domain user from manually connecting this printer using Windows File Explorer. To restrict access to the printer, you will have to change the printer security permissions on the print server and allow printing only for specific groups.
  6. In the same way create the printer connection policies for other user groups; connect different printer to different security groups
Also there is an old GPO section to configure printers: Computer Configuration -> Policies -> Windows Settings -> Deployed Printers, but this method is less flexible than the one using GPP described above.

When using this printer deployment Group Policy, new printers will be connected on user computers only if the corresponding printer driver is installed. However, the problem is that non-admin users don’t have permission to install print drivers. In this case, you need to configure Point and Print Restriction policy.

Configuring Point and Print Restrictions Policy to Install Printers

To correctly connect printers for any users, you will have to configure the Point and Print Restrictions policy, as well as the addresses of the print servers from which users are allowed to install drivers and printers.

I will remind you that on security reasons Microsoft has restrict the installation of non-package-aware v3 printer drivers since 2016. See the article Unable to install non-package-aware print drivers.

If you connect your printers using the User Configuration Policy, go to User Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> Printer -> Point and Print Restriction. Enable the policy and configure it as follows:

  1. Users can only point and print to these servers – specify the list of print servers users can install drivers from (FQDN names are specified with semicolon as a separator);
  2. When installing driver for new connection -> Do not show warning or elevation prompt;
  3. When installing driver for existing connection -> Do not show warning or elevation prompt. Configure Point and Print Restriction policy to install print drivers

Also, enable Package Point and Print – Approved server policy in the GPO section User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers and set the list of trusted print servers.

configuring the policy: Package Point and Print – Approved server

After you restart the computer, the assigned shared network printer will be automatically installed and connected at the user logon.

Previously, to install and connect users’ printers I had to use .bat and PowerShell scripts. These scripts need to be run as Startup GPO scripts, and Group Policy Filtering can be used to target the printer installation. However, in my opinion it is much easier to use GPP to deploy printers.

1 comment
1
Facebook Twitter Google + Pinterest
previous post
System Logs on ESXi Host are Stored On Non-Persistent Storage
next post
Managing Windows 10 Start Menu Layout and Taskbar Pin Apps With GPO

Related Reading

Preparing Windows for Adobe Flash End of Life...

January 22, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

How to Disable/Remove Thumbs.db File on Network Folders...

January 21, 2021

USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

January 15, 2021

Windows 10: No Internet Connection After Connecting to...

January 13, 2021

1 comment

Roman Kyrianov April 23, 2020 - 12:23 pm

Hi,
thank you for your manual.
One thing I would like to correct:
Under User Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> exists no point Printer -> Point and Print Restriction
It exists only under Computer Configuration.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Preparing Windows for Adobe Flash End of Life on December 31, 2020

    January 22, 2021
  • Checking User Logon History in Active Directory Domain with PowerShell

    January 22, 2021
  • How to Disable/Remove Thumbs.db File on Network Folders in Windows?

    January 21, 2021
  • MS SQL Server 2019 Installation Guide: Basic Settings and Recommendations

    January 19, 2021
  • USB Device Passthrough (Redirect) to Hyper-V Virtual Machine

    January 15, 2021
  • Windows 10: No Internet Connection After Connecting to VPN Server

    January 13, 2021
  • Updating the PowerShell Version on Windows

    December 24, 2020
  • How to Enable and Configure User Disk Quotas in Windows?

    December 23, 2020
  • Restoring Deleted Active Directory Objects/Users

    December 21, 2020
  • Fix: Search Feature in Outlook is Not Working

    December 18, 2020

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top