GPP - Deploying Printers To AD Group
-
If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
If I add "Domain Computers" group to the printer security settings with allow print, it will deploy the printer to the user.
That's because the computer needs to read the printer before the user can, which is why Authenticated users is used on GPOs as well to be applied.
-
I'm guessing I should create a group of computers then, too.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@black3dynamite said in GPP - Deploying Printers To AD Group:
Can't someone just connect directly to the printer and bypass your lockdown share printer?
Not if I enable the ACL/firewall on the printer.
what printer has that?
-
Yeah I'm lost now... sounds like a lot of adding/removing general groups that I never had to do.
Remove/delete the printer and GPOs and start over IMO.
-
I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.
-
@dashrender HP LaserJet Enterprise M609dn
-
@dashrender said in GPP - Deploying Printers To AD Group:
I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.
If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@dashrender said in GPP - Deploying Printers To AD Group:
I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.
If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.
Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.
-
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@dashrender said in GPP - Deploying Printers To AD Group:
I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.
If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.
Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.
Yeah, per my previous post, that is what I am doing, as it seems that the GPO needs the computer accounts to have access to the shared printer in order to apply the GPP.
-
@wrx7m said in GPP - Deploying Printers To AD Group:
@obsolesce said in GPP - Deploying Printers To AD Group:
@wrx7m said in GPP - Deploying Printers To AD Group:
@dashrender said in GPP - Deploying Printers To AD Group:
I've never had to remove authenticated users from the printer itself, so that seems like an odd issue, but sounds like @dbeato has as good a reasoning as any for why it's not working.
If I leave authenticated users with print permissions, then anyone will be able to print to the printers, which are for printing out checks.
Try removing authenticated users and everyone. Then add the check printers users group and alsi a check printers computer group, to the printer properties security tab.
Yeah, per my previous post, that is what I am doing, as it seems that the GPO needs the computer accounts to have access to the shared printer in order to apply the GPP.
The GPO applies to the computer regardless of the printer permissions. GPO permissions are completely separate and different from the printer permissions on the print server. I was unsure which you were talking about sometimes.
The shared printer permissions on the print server must allow the computer (and user) access for it to be "installed" on the computer.
You don't need to touch the GPO permissions. Just make sure it's applied to Authenticated Users, and linked in Group Policy above the users and computers it shoudl apply to. The "targeting" option within the GPP for that shared printer takes care of who the GPO applies to.
Perhaps you already knew this and I was just unclear which "permissions" you were referring to sometimes.
-
@obsolesce Right, I am having to add a group of computers to the printers' security permissions with allow printing enabled to get the GPP to actually deploy the printer to the user.
UNC pathing to the printer by a member of the PrintersChecksUsers (while the user is logged in) allows them to install and print to the printer.
The GPO shows as applied in the RSOP, but with item level targeting, I don't see any info on why it wasn't actually installed/applied. Maybe it shows it somewhere else.
The key is the shared printer's security tab on the print server, itself. That is where I have to allow the specific group of computers, as well as the specific group of users. I need both, the computers and users groups to have at least printing allowed.