1

We have two group policy issues that has been plaguing us for two weeks and I bit the bullet to ask the field. We recently changed print servers from 2008 to 2012. We have group policy objects for printers that apply to the user configuration because of the large number of people who use RDS to Server 2012 R2 VMs via thin clients.

The initial phenomena we are seeing is that with some RDS users (not all) the group policies are being applied but the printers do not show up and we have to manually add them every morning. When they log off and back on, they don't stick.

We have the policies at both the main level of the OU container and the Terminal Server OU beneath it, so as to apply them to both people that use desktop PCs, and to the people that use RDS.

The policies are not set to enforce.

We have to enable loopback processing on the RDS settings. We have 8 RDS servers in the farm.

--We've confirmed that the users are in the correct AD security groups. Some users in that group get the printer, others don't.

--The policies are set up with Security filtering applying to the AD group, and both that group and Authenticated Users are listed under the Delegation tab.

--gpresult /r shows that the policies are being applied to the user when logged into the RDS server but the printers do not all show up.

In addition some people are seeing double printers show up not only on our new box but the old one.

--I have gone into the registry of our RDS servers and removed entries from HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\ etc and they still pop up from time to time.

We're in the process of testing completely new users and slowly adding them to groups to see what happens there, but we can't be the first people to encounter this.

I would much appreciate any ideas or solutions people can come up with today as we're banging our heads here. There may be something fundamentally wrong with the way we have it set up and we're quite open to suggestions.

Thanks!

Machine_74
  • 11
  • 2
  • Can you check in the Event Viewer -> Application and Services logs -> Microsoft -> Windows -> PrintService -> Admin if you can find relevant errors ? Then, I suggest you to right click on the "Operational" log -> Enable and reproduce the issue to see if the events in this log helps you to understand what's happening – Swisstone Feb 20 '19 at 17:52
  • Hi, thanks for responding. No errors in the Admin section, turning on Operational log now. It may make more sense to describe what we're trying to do. For example we have Printer HPLJ400. We want the printer to be available to domain users, as well as RDS users. We do not have printer redirection turned on as we don't want people carrying their home printers over when VPN'd in. – Machine_74 Feb 20 '19 at 18:15
  • We have the object at the root domain level as well as the Terminal Server OU underneath that level. (We've tried removing it and also moving the domain level one down to a container also on the Terminal Servers' level, like which contains our domain users) I just logged in with a test user and each time I logged in, it added another instance of the printer Printer HPLJ400 so when you select it's properties, it gives you four to choose from on the right-arrow, all the same. – Machine_74 Feb 20 '19 at 18:16
  • We want one instance of the printer to be made available when on the domain as well as when connected to the RDS server, so it looks like the RDS server is not removing any old instances when it adds them. – Machine_74 Feb 20 '19 at 18:16
  • I just physically removed the printer from when I was logged into an RDS server. Logged off, back on....now there are six instances. Looks like the RDS is now removing them at logoff (which we would be more than happy with). I would think when you log into an RDS server it would install the printer once and if it exists, it wouldn't again. – Machine_74 Feb 20 '19 at 18:23
  • Update: I've deleted the printer from an RDS user's session, and it keeps re-adding so I have seven of the same instance stacked, even after deleting them. Good grief. I've tried registry hacks too to remove from the RDS servers. It may make sense to ask what the best practice is to accomplish the following: We want the same set of printers available when people connect to RDS. Printers are set via GPO using AD groups. – Machine_74 Feb 20 '19 at 19:26
  • In each individual policy, the scope does not list Authenticated Users, but does have the AD security group toed to the printer, under Security Filtering. The delegation does have both Authenticated Users and the AD security group having Read permission. We have loopback enabled, but not printer redirection since we don't want people bringing home printers into their sessions when connected via the VPN. Given all of this, what is the best practice to both put the policies and have those conditions met? Thanks. – Machine_74 Feb 20 '19 at 19:26

0 Answers0