GPP - Deploying Printers To AD Group
-
I am trying to deploy shared (on Server 2012 R2) printers via GPP to users in a specific AD group (CheckPrinterUsers), while limiting printing etc to only that group. It only works, if I give the Authenticated Users group print permissions on the print device on the server.
CheckPrinterUsers group has print and manage permissions on the printer.
I have added read delegation on the GPO for the CheckPrinterUsers group.How can I deploy printers with GPP to a group, but restrict printing to the shared printer to that same group?
-
@wrx7m said in GPP - Deploying Printers To AD Group:
I am trying to deploy shared (on Server 2012 R2) printers via GPP to users in a specific AD group (CheckPrinterUsers), while limiting printing etc to only that group. It only works, if I give the Authenticated Users group print permissions on the print device on the server.
CheckPrinterUsers group has print and manage permissions on the printer.
I have added read delegation on the GPO for the CheckPrinterUsers group.How can I deploy printers with GPP to a group, but restrict printing to the shared printer to that same group?
I assume when you said you added read delegation on the GPO you still had the Authenticated Users Groups as part of read delegation correct?
As for the access to the printer, you will need to add the Group under Security permissions of that printer
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776374(v=ws.10) -
@wrx7m said in GPP - Deploying Printers To AD Group:
How can I deploy printers with GPP to a group, but restrict printing to the shared printer to that same group?
Not sure if I understand this...
You want to deploy printers to a group of users but not let them use it?
-
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
In the advanced permissions, you can set it to read permissions, just make sure to remove print permissions for authenticated users or everyone group.
-
@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.
-
Can't someone just connect directly to the printer and bypass your lockdown share printer?
-
@black3dynamite said in GPP - Deploying Printers To AD Group:
Can't someone just connect directly to the printer and bypass your lockdown share printer?
Not if I enable the ACL/firewall on the printer.
-
@black3dynamite said in GPP - Deploying Printers To AD Group:
Can't someone just connect directly to the printer and bypass your lockdown share printer?
If that was a concern, you would VLAN the printers so only the print server had access to the VLAN.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.
Does it work when you add the shared printer manually
(\\server\shareprinter)from the one of the users in the CheckPrinterUsers group? -
@black3dynamite said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.
Does it work when you add the shared printer manually
(\\server\shareprinter)from the one of the users in the CheckPrinterUsers group?Yes, I can add the printer via the UNC path.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@black3dynamite said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.
Does it work when you add the shared printer manually
(\\server\shareprinter)from the one of the users in the CheckPrinterUsers group?Yes, I can add the printer via the UNC path.
What do you have set for the group policy for security group?
-
@black3dynamite Under security filtering, I first tried authenticated users. Next, I tried the CheckPrintersUsers group and adding the authenticated users with read permissions to the Delegation tab. Right now, it is setup with both groups in the Delegation tab as Read and Authenticated users in security filtering.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
Okay, there's 3 aspects to this:
- Group Policy
- Group Policy Targeting
- Printer Permissions
- Printer Permissions:
- On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
- Group Policy:
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Action = Update
- Share Path =
\\printserver\Printername(click the browse button to find it)
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Group Policy Targeting:
- In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
- Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
- Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.
-
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
Okay, there's 3 aspects to this:
- Group Policy
- Group Policy Targeting
- Printer Permissions
- Printer Permissions:
- On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
- Group Policy:
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Action = Update
- Share Path =
\\printserver\Printername(click the browse button to find it)
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Group Policy Targeting:
- In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
- Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
- Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.
Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.
-
When item-level targeting is enabled, the RSOP shows that the GPO is applied, but doesn't go into detail beyond that. I guess the item-level targeting-specific info doesn't show up on the RSOP.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
Okay, there's 3 aspects to this:
- Group Policy
- Group Policy Targeting
- Printer Permissions
- Printer Permissions:
- On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
- Group Policy:
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Action = Update
- Share Path =
\\printserver\Printername(click the browse button to find it)
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Group Policy Targeting:
- In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
- Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
- Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.
Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.
Don't know... that's how i've done it and it works without Authenticated users group in there.
What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?
-
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.
What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.
Okay, there's 3 aspects to this:
- Group Policy
- Group Policy Targeting
- Printer Permissions
- Printer Permissions:
- On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
- Group Policy:
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Action = Update
- Share Path =
\\printserver\Printername(click the browse button to find it)
- Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
- Group Policy Targeting:
- In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
- Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
- Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.
Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.
Don't know... that's how i've done it and it works without Authenticated users group in there.
What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?
I tried that too. Does not work
-
If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.
That's because the computer needs to read the printer before the user can, which is why Authenticated users is used on GPOs as well to be applied.
