3

I am having trouble with deploying printers with GPP. I have 40 Printers that need to be deployed to different users. Only certain users need certain printers.

I've got a GPO setup with user printer preferences and a list of 5 printers for testing. Each of those printers I have targeted to security groups for each printer. My test users are added to the various security groups.

If I set the Security filter of the policy to "Authenticated Users" then ALL (not just test users) get the printers deployed to them. If I leave the security filter blank, NO users get the printers.

I was under the impression, since I targeted each printer to a specific Security group, only users in that group will get that printer.

Thanks for any help you can give, Travis

TMacie
  • 45
  • 2
  • 9
  • I forgot to add, this is on a 2012 domain. Going out to Win7, Win8 and 2012 Terminal Server. – TMacie Feb 19 '16 at 14:10
  • What do you mean by you have the printers targeted to the security groups? Are you using the item level targeting under each printer preference item and adding the group filter there? Also, do you have the printer preferences defined in the Computer or User node of the GPO? – learley Feb 19 '16 at 14:57
  • yes, the Security groups are targeted under each printer preference. Preferences are defined under the User node. – TMacie Feb 19 '16 at 15:09
  • Without actually seeing the GPO, it sounds like you have set it up correctly. Have you enabled debug logging for the Printers extension? (Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and tracing) That should show us how the item level targeting is being evaluated. – learley Feb 19 '16 at 15:28
  • I have not, but will do that and report back. – TMacie Feb 19 '16 at 15:56
  • I can't get the logs to generate. I made sure to turn on Tracing in the policy even. – TMacie Feb 19 '16 at 20:43
  • Travis, it looks like this is the same underlying problem you had in your post from June this past year. http://serverfault.com/questions/697472/printing-preferences-item-level-tagerting-not-working – user5870571 Feb 19 '16 at 22:02
  • It is. it never got resolved then. I had to move away from the project for a while and now I'm back at it, but for a different reason. – TMacie Feb 22 '16 at 13:41

3 Answers3

0

For an easy way to manage those deployment I would use 1 GPO/GPP per printer, with one security group for each GPO.

I do this in all the shop I manage as when a user X call to get added a printer Y, you just have to add him to the security group and voila, it's done.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • Yeah, thats what I have now, but thats a lotta GPOs! I want to get it down to 1 or even a few GPOs for printing. With Item Level Targeting that really should work. – TMacie Feb 19 '16 at 14:40
  • @TMacie I dont recommand, but the only way to do it, then create 1 GPO that add all printers, but set security on each printers to prevent users to see them. – yagmoth555 Feb 19 '16 at 15:18
0

I actually just did what you are trying to do.

I am on a 2008 domain with 2008 Terminal Servers and Windows 7 computers.

So I have a GPO. This is linked to the OU location which contains the users/computers you want the GPO to apply to. In my case (and likely your case) you will want to link the GPO to the domain.

Security Filtering set on the GPO is Authenticated Users. Printers are defined under User Configuration: Preferences: Control Panel Settings: Printers.

For the printer on the Common tab I have "Run in logged-on user's security context (user policy option)" checked. I also checked "Item-level targeting" so I can choose which security groups should have that printer.

Run gpupdate /force on a workstation. Log out of the workstation and log back on and the user you log in with should get the appropriate printers you specified for the security groups the user has membership in.

user5870571
  • 2,900
  • 2
  • 11
  • 33
  • Your answer is great with the exception of this sentence: `Run gpupdate /force on the domain controller`. It's not necessary to run gpupdate on a Domain Controller in order for Group Policies to be applied to Users and Computers. I normally wouldn't have made mention of this, but I see too many people list this as a step in their GPO troubleshooting process. – joeqwerty Feb 19 '16 at 16:29
  • It's not necessary but if you have multiple DC's it forces the propagation. Your point is just as valid about running gpupdate /force on a workstation. – user5870571 Feb 19 '16 at 16:30
  • If you're saying that running gpupdate /force on a Domain Controller forces the replication between Domain Controllers then that's wrong. Gpupdate forces the application of Group Policy on domain clients (including on Domain Controllers), but it has no bearing on AD replication. Group Policy objects (both SYSVOL and the AD container) are replicated as a part of AD replication, not as a function of gpupdate. – joeqwerty Feb 19 '16 at 16:40
  • No that is not what I mean. Using the word "propogation" was wrong. GPOs can apply to workstations and DCs. If there is a setting and you want to verify it was updated correctly without logging into a different computer you can force the GPO to apply to the DC (that is if you linked the GPO to the OU where your DC is found). https://deployhappiness.com/gpupdate-or-gpupdate-force/ – user5870571 Feb 19 '16 at 16:48
  • This really is a trivial and silly point given my answer solves the problem. If it doesn't do what some mistakenly believe it does it still doesn't hurt anything. Worst case it does nothing. Best case it let's you see the result of a GPO without using a second computer. – user5870571 Feb 19 '16 at 16:52
  • 1
    Yeah, I'm not trying to beat a dead horse. You and I both know how it works but to someone who doesn't have as firm a grasp as you and I (such as the OP) it "propagates" the misconception that the application of Group Policy somehow depends on gpupdate being run on a Domain Controller, which isn't a trivial misunderstanding. – joeqwerty Feb 19 '16 at 17:10
  • Fair enough. I do see your point. From the standpoint of helping someone learn I agree. From the standpoint of helping someone fix a problem I don't know that it makes as much of an impact as you do, but in any case I have edited the answer. :) – user5870571 Feb 19 '16 at 17:12
  • Cheers and no offense intended. – joeqwerty Feb 19 '16 at 17:13
  • No offense intended to you either. Discussions like these raise the quality of answers for everyone! – user5870571 Feb 19 '16 at 17:14
  • I'm in 100% agreement on that. :) – joeqwerty Feb 19 '16 at 17:14
  • Hey guys, I have a pretty firm grasp of GPO, and I've set things up EXACTLY like @user5870571, thats why I posted here. Its supposed to work like that, but isn't. – TMacie Feb 19 '16 at 18:21
  • Just to confirm - you check the box that says Run in logged-on user's security context (user policy option)? – user5870571 Feb 19 '16 at 22:00
0

So, I was doing everything right...except one of the printers I was testing with was deployed using another group policy that I didn't know about. it turns out, if you have a printer deployed in ANY other group policy and then you try to do it with ILT, and set the Security to Authenticated users, or even another AD group, ALL AD users will get that printer.

Thanks for everyone's help.

Travis

TMacie
  • 45
  • 2
  • 9