• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3734
  • Last Modified:

Mapping printers via Group Policy Preferences

I am having issues mapping printers via Group Policy Preferences.  When I take away the "everyone" group from the security tab the printers will not map (using User Preferences).  As long as the member is in the security group it can still access and print via \\Printserver\printer but in the application log I get this error "Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.".  If I go to the security settings on the Printserver (Server 2003) and give the "everyone" group print access it maps correctly.

I am testing on XP SP3 computers with Client Side Extensions installed.
0
lanits
Asked:
lanits
  • 8
  • 5
  • 2
  • +1
1 Solution
 
Donald StewartNetwork AdministratorCommented:
Try adding just the "authenticated  users" group
0
 
lanitsAuthor Commented:
I only want one Security group to have access.  If I add authenticated users I still have the issue that anyone can print.  Limiting access is my main goal.
0
 
Donald StewartNetwork AdministratorCommented:
We use group policy to deploy/manage printers and it is much easier to control access
 
http://www.windowsnetworking.com/articles_tutorials/Deploying-Printers-Group-Policy-Windows-R2.html 
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
lanitsAuthor Commented:
I will look into this as a backup plan, but I would really like to accomplish this via the Group Policy Preferences.  It seems to me that there must be some work around.  
0
 
Donald StewartNetwork AdministratorCommented:
When you add  the "security" group in question, you still get access denied?
0
 
lanitsAuthor Commented:
Correct.  I can add the "Everyone" or "Authenticated Users" group and it will map correctly, if I take away those permissions I get the access denied error(although once the printer is mapped I can remove the everyone or Authenticated users group and still print).  Even with the access denied error I have no problem mapping using the \\printserver\printer method to map.  I might just have to use a logon script method, but from a management standpoint it seems the Preferences are the way to go. Requiring the Authenticated users group to have print permissions seems very odd from a security standpoint.
0
 
Donald StewartNetwork AdministratorCommented:
;-) I wasnt asking about "Everyone" or "Authenticated Users", I meant do you have a specific group that you want to allow to use the printer? , if so add that group.
0
 
lanitsAuthor Commented:
The security group in question was already added with full permissions.
0
 
lanitsAuthor Commented:
Right now the only work around I can come up with is to add the permissions for the authenticated users group, give everyone enough time to map the printer, then take the permissions away.  

I am leaving work for today,  I will check back first thing tomorrow for any other ideas.
0
 
Donald StewartNetwork AdministratorCommented:
0
 
lanitsAuthor Commented:
Still doesn't help with the GP Preferences.
0
 
lanitsAuthor Commented:
Found the issue.  Under the common tab "run in logged-on user's security context" must be checked.  
0
 
MightySWCommented:
Hi,
What does this have to do with Group Policy?  I may be out of the loop here somewhat but aren't you just trying to map printers to clients?  Unless you have 2003 R2 then Group Policy should not be discussed.

So you ONLY have the users group that you want to have access to that printer in the security section?

You have removed the auth users and the everyone group?  You should add in the (ALL LOCAL) print operators, administrators and then the ONE group that you want to have print to that printer.  You may have to restart the printer spooler and even cycle the printer power in order for the printer to login with the new permissions.  You WILL have to log out anyone that is printing to that printer and then log them back in after you change permissions to print to it.

permissions:
Adminsitrators (local): All
Creator Owner: Manage documents
Group that you add: Print

Those are the ONLY group that you will require.  

Also click on security and advanced, owner tab, and ensure that the owner is the localserver\administrator user.

HTH
0
 
MightySWCommented:
Sorry, I said to add print operators.  You can if you want.  Give them Manage Printer access.
0
 
lanitsAuthor Commented:
I am using the Group Policy Preference items that were added with Server 2008.  I think the whole problem was the System (or some other service) was trying to authenticate and it did not have access.  As soon as I checked  the "run in user context" everything worked like a charm.
0
 
SixFive7Commented:
Actually, if you don't select "run in logged-on user's security context" on your group policy preference printer, it will run under the computer's system account. Adding the $Computer account or any group it is a member of to the access list on the printer server will allow group policy to successfully install the printer.
And yes I know: It's called a group policy USER preference but by default it runs under the COMPUTER's security context...
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now