lanits
asked on
Mapping printers via Group Policy Preferences
I am having issues mapping printers via Group Policy Preferences. When I take away the "everyone" group from the security tab the printers will not map (using User Preferences). As long as the member is in the security group it can still access and print via \\Printserver\printer but in the application log I get this error "Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.". If I go to the security settings on the Printserver (Server 2003) and give the "everyone" group print access it maps correctly.
I am testing on XP SP3 computers with Client Side Extensions installed.
I am testing on XP SP3 computers with Client Side Extensions installed.
Don
Try adding just the "authenticated users" group
ASKER
I only want one Security group to have access. If I add authenticated users I still have the issue that anyone can print. Limiting access is my main goal.
We use group policy to deploy/manage printers and it is much easier to control access
http://www.windowsnetworking.com/articles_tutorials/Deploying-Printers-Group-Policy-Windows-R2.html
http://www.windowsnetworking.com/articles_tutorials/Deploying-Printers-Group-Policy-Windows-R2.html
ASKER
I will look into this as a backup plan, but I would really like to accomplish this via the Group Policy Preferences. It seems to me that there must be some work around.
When you add the "security" group in question, you still get access denied?
ASKER
Correct. I can add the "Everyone" or "Authenticated Users" group and it will map correctly, if I take away those permissions I get the access denied error(although once the printer is mapped I can remove the everyone or Authenticated users group and still print). Even with the access denied error I have no problem mapping using the \\printserver\printer method to map. I might just have to use a logon script method, but from a management standpoint it seems the Preferences are the way to go. Requiring the Authenticated users group to have print permissions seems very odd from a security standpoint.
;-) I wasnt asking about "Everyone" or "Authenticated Users", I meant do you have a specific group that you want to allow to use the printer? , if so add that group.
ASKER
The security group in question was already added with full permissions.
ASKER
Right now the only work around I can come up with is to add the permissions for the authenticated users group, give everyone enough time to map the printer, then take the permissions away.
I am leaving work for today, I will check back first thing tomorrow for any other ideas.
I am leaving work for today, I will check back first thing tomorrow for any other ideas.
ASKER
Still doesn't help with the GP Preferences.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
What does this have to do with Group Policy? I may be out of the loop here somewhat but aren't you just trying to map printers to clients? Unless you have 2003 R2 then Group Policy should not be discussed.
So you ONLY have the users group that you want to have access to that printer in the security section?
You have removed the auth users and the everyone group? You should add in the (ALL LOCAL) print operators, administrators and then the ONE group that you want to have print to that printer. You may have to restart the printer spooler and even cycle the printer power in order for the printer to login with the new permissions. You WILL have to log out anyone that is printing to that printer and then log them back in after you change permissions to print to it.
permissions:
Adminsitrators (local): All
Creator Owner: Manage documents
Group that you add: Print
Those are the ONLY group that you will require.
Also click on security and advanced, owner tab, and ensure that the owner is the localserver\administrator user.
HTH
What does this have to do with Group Policy? I may be out of the loop here somewhat but aren't you just trying to map printers to clients? Unless you have 2003 R2 then Group Policy should not be discussed.
So you ONLY have the users group that you want to have access to that printer in the security section?
You have removed the auth users and the everyone group? You should add in the (ALL LOCAL) print operators, administrators and then the ONE group that you want to have print to that printer. You may have to restart the printer spooler and even cycle the printer power in order for the printer to login with the new permissions. You WILL have to log out anyone that is printing to that printer and then log them back in after you change permissions to print to it.
permissions:
Adminsitrators (local): All
Creator Owner: Manage documents
Group that you add: Print
Those are the ONLY group that you will require.
Also click on security and advanced, owner tab, and ensure that the owner is the localserver\administrator user.
HTH
Sorry, I said to add print operators. You can if you want. Give them Manage Printer access.
ASKER
I am using the Group Policy Preference items that were added with Server 2008. I think the whole problem was the System (or some other service) was trying to authenticate and it did not have access. As soon as I checked the "run in user context" everything worked like a charm.
Actually, if you don't select "run in logged-on user's security context" on your group policy preference printer, it will run under the computer's system account. Adding the $Computer account or any group it is a member of to the access list on the printer server will allow group policy to successfully install the printer.
And yes I know: It's called a group policy USER preference but by default it runs under the COMPUTER's security context...
And yes I know: It's called a group policy USER preference but by default it runs under the COMPUTER's security context...