1

Whats the best method to add printers for users using GPO? Also is there any way to prevent thjem from adding network printers but allow them to add local printers?

Server is Win 2003 RC2, clients are a mix of XP and Win 7

Alex
  • 279
  • 6
  • 16

3 Answers3

2

This article is long winded, but has good advice. Basically use the Deployed Printers in a GPO, and run PushPrinterConnections.exe as a login script (part of pmcmgmt.exe from this MS DL Page).

Network Printer security should be handled at the Print Server end, not by trying to lock clients out (which will royally screw with the above process). Users who are not local admins will not be able to add local printers anyway (and we all know proper security dictates that normal users are not local admins, especially on XP).

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Could you post that linK? I am interested for surez. – songei2f Feb 24 '11 at 19:21
  • And I think his concern, at least for the 7 clients is [that non-admin users have the rights to add TCP-IP ports for printers](http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/8a5cfb10-7b01-4a78-878f-7245b31c8dbe). That is news to me too. I had not noticed yet. – songei2f Feb 24 '11 at 19:24
  • @alharaka, Doh! forgot the link... I'll be darned, I can't believe the default is to allow people to create TCP/IP ports... Something else that needs to be locked down apparently. – Chris S Feb 24 '11 at 19:26
  • One bothersome issue we've had with Deployed Printers via GPO is when the driver itself needs to be reinstalled. Normally, you'd just delete and reload the printer, but Deployed Printers can't be deleted by end-users. It's not the end of the world, but it's annoying. I keep wanting to check out GP Preferences to see if that is any better. – CC. Feb 24 '11 at 20:12
  • Well I'll be damned. I guess that article teaches me a lesson. Don't get wrong, love GPO's but I manage a lot of local users and setting up their crap for printer configuration (like default printer and such) are always harder to deal with as a result. Still, I wish this solved all my use cases or I would scrap the mess I have like yesterday. – songei2f Feb 24 '11 at 20:59
  • @CC, in Vista/7 when you update the driver on the server it automatically installs on all the clients the next time they use that printer; It's very slick (doesn't work in XP though). – Chris S Feb 24 '11 at 21:11
  • @Chris S: Sorry, I should have been clearer. When the local copy of the driver is corrupt and the server driver is the same, there's no easy way I know to reinstall the driver. The client sees the server driver as unchanged, so there's no update. Of course, I could change the server driver, but I'm leery of affecting all of my print users just to get one workstation fixed. I very well may be missing something; let me know if I am! – CC. Feb 25 '11 at 15:27
  • 1
    @CC If you know a particular workstation has corrupted drivers you can open the Printer Management MMC, connect to that computer, and delete the driver. It'll pull the driver the next time it connects to the print server. (Again, doesn't work on XP; just Vista/7). – Chris S Feb 25 '11 at 17:29
  • Only use Printer Management on the server side; never thought to use it for the workstations. Great tip! – CC. Feb 25 '11 at 17:44
1

I think consensus on this has been prnmgr.vbs for a while. @Chris makes a good suggestion, but I did not know that worked with XP clients (I thought all that business worked well with Vista or newer; I have still have tons of trouble with XP clients and printmanagement.msc).

songei2f
  • 1,924
  • 1
  • 20
  • 30
0

To expand on some of the other answers, I'd agree that Chris S's method works best if you are deploying from a Print Server. But if you're talking about only local printers with TCP/IP ports, alharaka is correct in using prnmgr.vbs.

I had done a write-up of using prnmgr.vbs and the other related vbs scripts to deploy printers here: http://faultbucket.ca/2011/01/silent-printer-deployment-in-windows/

That is designed to be run from your own computer to push one time to a client. If you want to use it in a GPO, I'd suggest:

  • Make separate scripts for groupings of printers you'd like to deploy
  • Create a GPO with those scripts as a startup/shutdown script, targetting the appropriate OU's for your users or computers
  • Ensure you're placing the script in a secure location, because it will contain administrative credentials.

The only thing I'd find a way to add is some type of check to the script that says, "If this printer is already installed, skip". This way your startup/shutdown times aren't affected for computers that already have the appropriate printers.

In answer to your other question, I don't think its possible to allow users to add local printers without giving them admin rights.

Jeff Miles
  • 2,020
  • 2
  • 19
  • 26