[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 832
  • Last Modified:

setting up gpo for users permisions and printer deployment

I have read through many answers on EE but have not found one that helps with my issue.
I have a domain built entirely on 2003 r2 ad.
I have 2 dcs, 1 file and print server and 2 other member servers.
I am trying to set up group policies for user permissions and to deploy printers.
So far nothing works.  I have made ous for my users and my computers, I have installed all my printers on my print server machine.

I admit I just dont understand how to get the gpo to apply to the users ou and how to get the printers to deploy.

I could really use some good step by step help on this.

My last round of questions went unanswered, I am hoping for better this time.

Thanks
0
KenBlessing
Asked:
KenBlessing
  • 23
  • 17
  • 2
  • +2
1 Solution
 
kevin_uk05Commented:
I'll explain how we deploy printers, see if this helps you...
0
 
kevin_uk05Commented:
Firstly, GPO's apply policies to either Computers or Users. If you have an OU which contains your Users and a seperate OU which contains your PC's then you will need to have seperate GPO's, one on each OU (or you could link one GPO against both OU's)

On your Users OU create and link a GPO and configure the policies you wish to apply to users during logon, and on the Computers OU create and link a GPO and configre the policies you wish to apply during a computers boot.

With regards to deploying printers. We use a self made ADM file and a VBS logon script to map printers during logon.
0
 
KCTSCommented:
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
amajidkhCommented:
used the above guide in test environment works oki. (KCTS) Some permissions issues apar from that fine.

mk
0
 
Kevin HaysIT AnalystCommented:
If you have the print server then you could always use a vbscript to check for group membership and then just map the printer that way.  I map drives and printers this way with the login script.  Now if the login script doesn't fire for some reason then those settings don't get applied.

If you wish to take a look at a vbscript to map printers/drives then I can supply one for you to modify.  They are many ways to accomplish this.

You must have your users in the OU where your GPO has settings for the user section.  Same goes for the computers unless you apply it to a top level OU.  

Ex:  Staff-> Computers, Users

You could link one GPO to Staff for both sections.

Kevin
0
 
KenBlessingAuthor Commented:
Kcts

I have that article and I followed it but my printers did not work

I have a feeling I am missing a step or putting something in the wrong place.
Ok, get this.  For a test I setup a gpo and applied it to a test ou with a test user.  This was almost verbatim out of the SYBEX MCSE 70-294 Book.  In the test gpo I put in for a login message to appear and for notepad to start on login.  Just so I would know if it was working with out having to look too far.
It didn't work.
Then for some reason I don't remember I rebooted my server.  Now the gpo applied itself to the server login and not the test user.
So, obviously I am an Idiot and did something very wrong but I don't know what.
0
 
Kevin HaysIT AnalystCommented:
Ok, for startes here is a simple vbscript to place in the login section of the users.  This just maps printers based on their share name.

Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\srcs\LANIER_COLOR"
net.AddWindowsPrinterConnection "\\srcs\tsh_studio28"

' Set the default printer now
'net.SetDefaultPrinter "\\srcs\tsh_studio28"


You need to place the login script in the correct location for it to fire though.  When you edit the login script section click on show files and then click on browse and paste the file in there to make sure it's in the correct location.  Some may place files in the netlogon directory which is shared by default also for scripts.

As for the group membership here is the script i'm using.  I'm by no means an expert in vbscript, but this does the job.

START

'::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
'
' File:      Map Network Drives.vbs
' Updated:      October 2006
' Version:      1.3
' Author:        Kevin
' Desc:      Login Script to map drives based on group
'      membership.
'
'::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Dim objNet, objADInfo, objUser
Dim strDC, strFileServer

set objNet            = CreateObject("Wscript.Network")       'create network object
set objADInfo      = CreateObject("ADSystemInfo")       'create AD object
set objUser            = GetObject("LDAP://" & objADInfo.UserName) 'create user object
Set localDrives      = objNet.EnumNetworkDrives

sIT_Windows      = "\\srcs\IT\"
sIT_Linux            = "\\10.1.1.99\it"
sPublic_Windows      = "\\srcads\public"
sPublic_Linux      = "\\10.1.1.99\Public"
sFileServer            = "\\10.1.1.99\"
sHome            = "\\10.1.1.99\" & objNet.UserName


'Remove all network drives allready mapped
For i = 0 to localDrives.Count -1 step 2
  If Not localDrives.item(i) = "" Then
      objNet.RemoveNetworkDrive localDrives.Item(i), True, True
      'msgbox(localDrives.item(i))
  End If
Next

' Sleep
Wscript.sleep 300

With objNet
      For Each GroupObj in objUser.Groups
           Select Case LCase(GroupObj.Name)
                case "cn=information technology"
                       .MapNetworkDrive "I:", sIT_Windows
                       .MapNetworkDrive "J:", sPublic_Windows
                       .MapNetworkDrive "K:", sFileServer & "it"
                       Wscript.sleep 400

                case "cn=sales"
                           .MapNetworkDrive "P:", sFileServer & "sales"
            Wscript.sleep 400

               case "cn=customer service"
            .MapNetworkDrive "M:", sFileServer & "customer_service"
            Wscript.sleep 400

               case "cn=marketing"
            .MapNetworkDrive "O:", sFileServer & "marketing"
            Wscript.sleep 400

               case "cn=human resource"
            .MapNetworkDrive "Q:", sFileServer & "human_resource"
            Wscript.sleep 400

                               End Select
                'msgbox(GroupObj.Name)
      Next

      'Map fileserver drives for everyone
      .MapNetworkDrive "Y:", sPublic_Linux
      .MapNetworkDrive "Z:", sHome

End With

'cleanup resources
set objNet            = Nothing
set objADInfo      = Nothing
set objUser            = Nothing
set sFileServer      = Nothing
set sPublic_Windows      = Nothing
set sPublic_Linux       = Nothing
set sHome             = Nothing
set sIT_Windows      = Nothing
set sIT_Linux      = Nothing

'quit wscript
WScript.Quit


END


The formatting is all wrong though, so don't pay any attention to that.

It sounds like you have linked the gpo to the domain and not to a child OU.
You will need to create a child OU under your main domain.  Call it TESTOU or something.  Under that ou move a valid user object in there.  Create and link a GPO to the TESTOU and just remove the run command or something small like that.  Don't worry about startup/login scripts right now.  After you get that applied make sure that authenticated users have read and apply group policy for their security settings.  You may need to login to the workstation with that user then run gpupdate /force to force the settings to take effect.  If you have the firewall on sp2 machines then make sure they can receive the icmp settings so that gpo's can be pushed down.

You need to be using GPMC if you are not by chance already.  Those are just the basics of gpo's.  Sorry if i've already stated what you have done already.

Kevin
0
 
KenBlessingAuthor Commented:
lets start at the beginning.  I thought I put in the GPMC but i don't see anychanges anywhere to know if it is working.  where/how does it run?

Below i put in a reprisentation on what my mmc looks like.
I don't know if this helps at all.

My feeling is I messed this up from the beginning and I should just start over.

Console root
+Active directory domains and trust
--Active directory users and computers(dc1.mydomain.local)
      +Saved queries
      --Mydomain.local
            Mydomain computers----------(mydomain pcs)
            Mydomain users-----------------(mydomain users)
            Mydomain administrators------(mydomain admins)
            Mydomain servers---------------(mydomain servers incl file and print server)
            Builtin-----------------------(unchanged)
            Computers-----------------(empty)
            Domain controllers-------(dc1 and dc2)
            Foreignsecurityprincipals---(unchanged)
            TEST OU----------------------------(test user and my pc)
            Users------------(default users from install)
      Active directory sites and services (dc1.mydomain.local)
      Dns
      Services (local)
      Computer management (local)
      MYDOMAIN PRINTER GPO (DC1.MYDOMAIN.LOCAL) POLICY
      TEST USER (DC1.MYDOMAIN.LOCAL) POLICY
0
 
Kevin HaysIT AnalystCommented:
If you installed the GPMC tool then you should be able to find it in administrative tools/group policy management.  If not then you can do start/run/gpmc.msc and it will launch.

It looks like you have your test OU in the correct spot.  Just create and link the gpo there and do something in the user section that you can see very easy to make sure it's working first.

Kevin
0
 
KenBlessingAuthor Commented:
As for linking the gpo to the domain and not the child ou.  that is not what I did but it is what happened.
To apply the gpo I right clicked on the child ou (test ou)
      Went to properties then group policy
      Clicked add and chose test user and mydomain printer
      Clicked ok

So why does the the test user and mydomain printer gpo showup under the mydomain.local group policys?

I dont get this.  please help
0
 
KenBlessingAuthor Commented:
ok i checked and the gpms did not install on my dc1 server running 2003 r3 where I run the mmc.
When I try to run the gpmc.msi file i get an error message that says it can only be installed on xp and machines running the windows server 2003 os.
Now what?
0
 
KenBlessingAuthor Commented:
ok I got the gpmc to install.  so i will not recheck everything I have done so far and see if I can get this to work.

I'll let you know how I make out.
Thanks
0
 
KenBlessingAuthor Commented:
still does not work I don't get it
0
 
Kevin HaysIT AnalystCommented:
In the security tab of the properties of the gpo just leave 'authenticated users" there and don't add anybody right now.  You move the user and only the user in Active Directory Users and Computers to the test OU.  Have you done that yet?  

On a side note i've got my problems here too :(  Trying to sniff some packets to see why our IP is on spam blacklist now and I have no hub :(

When you created and linked the gpo to the test ou what settings did you change in the user section?
0
 
KenBlessingAuthor Commented:
under test user policy properties there is:
authenticated users --with read and apply goup policy premisions
creator owner --no permisions
domain admin--read write create child delete child objects
enterprise admin--read write create child delete child objects
enterprise domain controllers--read
system--read write create child delete child objects


Test user is the only thing in the Test ou

In the user section I added to use the luna desktop theme and to run wordpad on logon
0
 
Kevin HaysIT AnalystCommented:
Ok, sounds like it should work.  I"ll have to test it tomorrow when i'm at work.
0
 
KenBlessingAuthor Commented:
Ok I got the GPO to take.  I am not 100% on how I did it.  I think I had only made changes that would effect the computer and nothing to effect the user and I had only applied the gpo to the test user not the test computer.

now to figureout why I can delpy my printers with the same gpo
0
 
KenBlessingAuthor Commented:
kshays:

I looked at your script for the printers and I have no Idea what to do with that.  VB scripts have severely eluded me.
0
 
Kevin HaysIT AnalystCommented:
You have to move computers inside the OU if you modify anything with the computer section.
You have to move users inside the OU if you modify anything in the user section.

Now as far as this printer script goes, I have my printes shared on a "print server".  I just typed this code into a blank notepad and saved it as MapPrinter.vbs

I then place this file for a "login" script so that when a user logs in they will have these drives mapped for them.

Dim net
Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\srcs\LANIER_COLOR"
net.AddWindowsPrinterConnection "\\srcs\tsh_studio28"

' Set the default printer now
'net.SetDefaultPrinter "\\srcs\tsh_studio28"

You would just replace "\\srcs\LANIER_COLOR" with "\\servername\printer share name"

That would map the printers for you.  If you can see how that works then you can use this code within the other vbscript based on group membership.

Vbscript is almost a must for any type of scripting such as this that I have found out.
0
 
KenBlessingAuthor Commented:
I made this script
I put it in the startup and in the login

Still no printers.

DIm Net
Set net = createobject("wscript.network")
net.addwindowsprinterconnection "\\file-&-print\mis118"

net.setdefaultprinter "\\file-&-print\mis118"

0
 
Kevin HaysIT AnalystCommented:
When you added it in the login script of the gpo are you using the test user account you moved into the OU?

Also when editing the login setting, click on "show files".  Make sure your file is listed there.  Then click on Add and select your file.

After all that is done, on the workstation where you are testing issue the command "gpupdate /force" from the start/run prompt.

This will refresh the group policy.

Kevin
0
 
KenBlessingAuthor Commented:
Ok something is better then nothing
The gpupdate run on the workstation helped

Now I get an error on line 3
Printer name is invalid
Character 1
0
 
Kevin HaysIT AnalystCommented:
Ok, good :)

I'm thinking it's the & that is causing the problem.  Try putting the IP instead.  That is the correct share name listed on your print server?
0
 
KenBlessingAuthor Commented:
\\xxx.xxx.xxx.xxx\mis118      no good

Error
the file name, directory name or volume lable syntax is incorrect
code 8007007b
0
 
KenBlessingAuthor Commented:
this scripting stuff is all well and good buy why doesn't the gpo with the pushprinterconnection.exe work?

why is getting all my printer to all my users so difficult?

sorry I had to get that off my chest.

Thanks for helping
0
 
KenBlessingAuthor Commented:
ok now I have edite dthe script

DIm Net
Set net = createobject("wscript.network")
net.addwindowsprinterconnection \\file-and-print\mis118
net.setdefaultprinter \\file-and-print\mis118

Now I get an error online 3 char 33  code 800a03ea which points to a syntax error but I can not figure out what is wrong. i've tried capitols i tried adding spaces.  I tried a differnt printer.
Nothing.
I will try more tommorrow.

Thanks
0
 
Kevin HaysIT AnalystCommented:
Well the syntax would be you have no quotes around     \\file-and-print\mis118
should be      "\\file-and-print\mis118"
Try this before Dim Net
server ="\\file-&-print\mis188"
msgbox server

Replace net.AddWindowsPrinterConnection "\\file-and-print\mis118"
net.AddWindowsPrinterConnection server

See what that gives you.  As far as the pushprinterconnection.exe, i've never used it.  I've always found this vbscripting easy, or at least for these situations, so i've just stuck with it :)
It's late here so i'll have to try and see what I can do when I get to work in the morning.
0
 
KenBlessingAuthor Commented:
Hi Kshays

Thank you for all your help with this and not to argue with your infomation but when I lookup the error code 8007007b at the link below they tell me that the server name and printer should not have quotes.
So I take away the quotes and I get an error of 800a03ea which tell me I have an syntax error starting at char 33
net.AddWindowsPrinterConnection \\file-and-print\mis118

http://www.computerperformance.co.uk/Logon/code/code_8007007B.htm
0
 
Kevin HaysIT AnalystCommented:
No problems.  Here is also a link that shows the sample of mapping a printer.

http://www.computerperformance.co.uk/Logon/LogonScript_Printer_Method.htm 

The quotes are usually placed if there are spaces in the string.

Kevin
0
 
KenBlessingAuthor Commented:
Hi Kevin
I tried the suggestions from that link  still no good.

I am starting to wonder if it is the server name that is no good, because I am out of Ideas.
0
 
Kevin HaysIT AnalystCommented:
I thought it might be the servername that may be bad, but then I wouldn't think windows would let you name the server if the characters were invalid though.  Other thoughts are:

1.  Try the script on another machine.
2. From the start/run prompt enter in        \\NetBIOSname\PrinterShareName  
This should bring up the window to that printer.  If that doesn't bring it up then something is really wrong then.  

Maybe the wscript host library has became corrupt or needs to be updated?  I'm almost out of ideas too :(
0
 
KenBlessingAuthor Commented:
ok on my workstaion, in the start/run i entered   \\file-and-print\mis118

it opened a window to the printer  mis118 on file-and-print
i could open the properties of the printer and print a test page.

So what does this mean? i don't get it.


Did you ever figure out your spam black list issue?
0
 
Kevin HaysIT AnalystCommented:
Well that is good I guess :)  It basically means there is not a problem with your workstation name and you are indeed entering in the correct share for the printer.  Maybe this link with help.

http://www.computerperformance.co.uk/Logon/code/code_8007007B.htm

Yes, I finally found an old Netgear hub in the office.  I downloaded Wireshark and slapped it on my laptop and did a filter of "tcp port 25 and not ip host 192.168.1.4"  As soon as I plugged the hub between my firewall and switch "BAM", I found the infected system which was a laptop according to the IP when I did a nslookup on the IP.  Anyway come to find out it received the trojan.peed.ice on May 26 and I was out those two weeks due to my appendix rupturing on me.  I'm thinking the person that did the mail monitoring might have accidently approved some items that wasn't supposed to.  Who knows, but I've got our IP off the lists except for one and it should fall off automatically in a few days.

0
 
KenBlessingAuthor Commented:
Kevin

No good I've been through every error code that comes up and none of them help.
I don't get this.

if I change the server name what am i going to loose?
0
 
Kevin HaysIT AnalystCommented:
Renaming the server would probably cause you a lot of headaches according to what you have on it.  It really doesn't make much sense.  Copy this text into notepad and save it as something.vbs and then run it on your workstation.  Replace "srcads" to your servername or remote servername and see if it works.  It should display the currently logged on user.

computer = "srcads"
set wmiService = GetObject("Winmgmts:\\" & computer)
set objComputer = wmiService.InstancesOf("Win32_ComputerSystem")

for each wmiObj in objComputer
     if wmiObj.UserName <> "" then
          wscript.echo wmiObj.UserName
     else
          wscript.echo "No user currently logged on"
     end if
next

Here is a list of scripting using vbscript, try some examples out and see if they run.
http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true
0
 
KenBlessingAuthor Commented:
kevin  

The text below errors out stating that the remote server machine does not exist or is unavaliable.

computer = "file-and-print"
set wmiService = GetObject("Winmgmts:\\" & computer)
set objComputer = wmiService.InstancesOf("Win32_ComputerSystem")

for each wmiObj in objComputer
     if wmiObj.UserName <> "" then
          wscript.echo wmiObj.UserName
     else
          wscript.echo "No user currently logged on"
     end if
next
0
 
KenBlessingAuthor Commented:
if i change the first line to my DC1 and run the script it works  so this seem to me to be possable a dns issue.  maybe?
0
 
Kevin HaysIT AnalystCommented:
Change it to your IP then.  If that doesn't work then you've got some problems other than these :(

Can you do a nslookup on the servername and get it's IP returned and vice/versa?
0
 
KenBlessingAuthor Commented:
wow  can not find server name for ip non-existant domain

man this just gets worse and worse
0
 
Kevin HaysIT AnalystCommented:
Yep yep :(  Ok, to fix the nslookup issue basically means you have no revers lookup zone in your AD network or if you do then you need a pointer record to point back to your DNS server.

It does appear you may have some DNS issues and possibly some others.

On your DNS server bring up a command prompt and type in " netdiab /v > c:\netdiag_test.txt " without the quotes.  After it's done edit the file and see if anything fails.  You may also want to enable WINS for backward compatibility also.

I'm going home for the day so if you don't get it resolved today, someone else might jump in and give suggestions also, if not we'll try again tomorrow.

Good luck.

Kevin
0
 
KenBlessingAuthor Commented:
Kevin   That string did not run,   error,   netdiag is not recognized as an internal or external command operable program or batch file.

oh well,  next
0
 
Kevin HaysIT AnalystCommented:
You can find it on a windows 2000 or higher disc under the support tools folder.
0
 
KenBlessingAuthor Commented:
Hi Kevin

I got the Printers to deploy.  But not by useing the vbscript, that regretfully turned out to be a waiste of time.  I fixed my dns reverslookupzone and the gpo push worked fine.

I want to thank you for all the time you put into this and I'll give you the point and maybe this whole string will helpout somebody else.

Which part of this thing do I accept as the soulution though?
Thanks again
Ken
0
 
Kevin HaysIT AnalystCommented:
I'm glad you got the problem worked out.  Normally to just map a printer is just as simple as what I posted, but as you can see sometimes things just don't work out like they should.  

You are welcome, I was going to stick with it until you found a solution of some type :)  Honestly, whichever comment you want to basically :)

Cheers Ken and have a great day.

Kevin
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 23
  • 17
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now