GPP - Deploying Printers To AD Group

wrx7m

@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.

black3dynamite

Can't someone just connect directly to the printer and bypass your lockdown share printer?

wrx7m

@black3dynamite said in GPP - Deploying Printers To AD Group:

Can't someone just connect directly to the printer and bypass your lockdown share printer?

Not if I enable the ACL/firewall on the printer.

Mike Davis

@black3dynamite said in GPP - Deploying Printers To AD Group:

Can't someone just connect directly to the printer and bypass your lockdown share printer?

If that was a concern, you would VLAN the printers so only the print server had access to the VLAN.

black3dynamite

@wrx7m said in GPP - Deploying Printers To AD Group:

@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.

Does it work when you add the shared printer manually (\\server\shareprinter) from the one of the users in the CheckPrinterUsers group?

wrx7m

@black3dynamite said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.

Does it work when you add the shared printer manually (\\server\shareprinter) from the one of the users in the CheckPrinterUsers group?

Yes, I can add the printer via the UNC path.

black3dynamite

@wrx7m said in GPP - Deploying Printers To AD Group:

@black3dynamite said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@black3dynamite Thanks. I tried that, but it didn't seem to work. I am guessing that it is only to read the ACL permissions themselves and not actually grant the "Read" permission.

Does it work when you add the shared printer manually (\\server\shareprinter) from the one of the users in the CheckPrinterUsers group?

Yes, I can add the printer via the UNC path.

What do you have set for the group policy for security group?

wrx7m

@black3dynamite Under security filtering, I first tried authenticated users. Next, I tried the CheckPrintersUsers group and adding the authenticated users with read permissions to the Delegation tab. Right now, it is setup with both groups in the Delegation tab as Read and Authenticated users in security filtering.

Obsolesce

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

Okay, there's 3 aspects to this:

1. Group Policy
2. Group Policy Targeting
3. Printer Permissions

• Printer Permissions:
  • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
• Group Policy:
  • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
    • Action = Update
    • Share Path = \\printserver\Printername (click the browse button to find it)
• Group Policy Targeting:
  • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
  • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
  • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

wrx7m

@obsolesce said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

Okay, there's 3 aspects to this:

1. Group Policy
2. Group Policy Targeting
3. Printer Permissions

• Printer Permissions:
  • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
• Group Policy:
  • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
    • Action = Update
    • Share Path = \\printserver\Printername (click the browse button to find it)
• Group Policy Targeting:
  • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
  • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
  • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

wrx7m

When item-level targeting is enabled, the RSOP shows that the GPO is applied, but doesn't go into detail beyond that. I guess the item-level targeting-specific info doesn't show up on the RSOP.

Obsolesce

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

Okay, there's 3 aspects to this:

1. Group Policy
2. Group Policy Targeting
3. Printer Permissions

• Printer Permissions:
  • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
• Group Policy:
  • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
    • Action = Update
    • Share Path = \\printserver\Printername (click the browse button to find it)
• Group Policy Targeting:
  • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
  • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
  • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

Don't know... that's how i've done it and it works without Authenticated users group in there.

What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?

wrx7m

@obsolesce said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce said in GPP - Deploying Printers To AD Group:

@wrx7m said in GPP - Deploying Printers To AD Group:

@obsolesce I want to deploy 2 printers via GPP/GPO to a group of users called the CheckPrinterUsers. I have limited access to printing to those printers exclusively to CheckPrinterUsers group via the shared printers' security tabs.

What happens is - The GPP doesn't get applied to the users who are members of that group unless I allow the "Authenticated Users" group print access in the shared printers' security tabs.

Okay, there's 3 aspects to this:

1. Group Policy
2. Group Policy Targeting
3. Printer Permissions

• Printer Permissions:
  • On the print server, in "Devices and Printers", go into the "Printer Properties" of the printer in question, then to the Security tab. Remove "Everyone", and then add the "CheckPrinterUsers" group with Print = Allow checked.
• Group Policy:
  • Using Group Policy Preferences, under "User Configuration -> Preferences -> Control Panel Settings -> Printers", add a new "Shared Printer".
    • Action = Update
    • Share Path = \\printserver\Printername (click the browse button to find it)
• Group Policy Targeting:
  • In the above group policy printer window, click the "Common Tab", check "Item-level targeting", then the Targeting button.
  • Click "New Item", then "security group"... select the "CheckPrinterUsers" group, then OK/Apply/OK out of the windows.
  • Make sure this group policy is added in the AD hierarchy so that it is above all the users it's supposed to effect.

Thanks for breaking it down. This is how it was configured initially, as item-level targeting is my normal way to deploy shared printers. When all that is set that way, it won't install the printers to the users unless I add allow printing to authenticated users group on the printers' ACLs.

Don't know... that's how i've done it and it works without Authenticated users group in there.

What if you add authenticated users, leave "Print" unchecked, but make sure "Read permissions" is checked?

I tried that too. Does not work

wrx7m

If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.

dbeato

@wrx7m said in GPP - Deploying Printers To AD Group:

If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.

That's because the computer needs to read the printer before the user can, which is why Authenticated users is used on GPOs as well to be applied.

wrx7m

I'm guessing I should create a group of computers then, too.

Dashrender

@wrx7m said in GPP - Deploying Printers To AD Group:

@black3dynamite said in GPP - Deploying Printers To AD Group:

Can't someone just connect directly to the printer and bypass your lockdown share printer?

Not if I enable the ACL/firewall on the printer.

what printer has that?

Obsolesce

Yeah I'm lost now... sounds like a lot of adding/removing general groups that I never had to do.

Remove/delete the printer and GPOs and start over IMO.

Dashrender

I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.

wrx7m

@dashrender HP LaserJet Enterprise M609dn