Group Policy Printer Preferences Question

Posted on 2010-11-22
Last Modified: 2012-06-27
We've just put up a Windows 2008 domain controller, and I am beginning to test group policy preference settings to assign printers to OUs.  I think I have everything pretty much figured out, except how to address a scenario that occurs quite often in our organization.  I have several people who work out of two different locations and would like to have the printers available that match the location where they are working.  Since I can only have a user in 1 OU, I'm not sure what else I can do except assign all possible printers to these particular people.  I suppose I could also establish two separate logins for these people, but that doesn't seem really user-friendly and could cause problems with email.  Anyone found a creative way to deal with this type of scenario?
Question by:SRC_IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 41

Expert Comment

by:Adam Brown
ID: 34190306
The best way to handle it is to use Item-Level targeting on the Common tab when you are setting up the preference. You can use that to set it up so it will only apply on certain IP addresses (if each site has a different IP address) or you can target the computer object. I've done this with one of my clients that has to have a different default printer at each site and it works quite well. This technet article has more info:

Author Comment

ID: 34190691
I've used the item-level targeting, so I am familiar with it, but maybe I don't understand it completely.  Or maybe my AD OU's are not set up to accomodate this.  But if I have an OU for the first location where the user account resides and an OU for the second location, where the user account does not reside, on the second OU, even if I were to set up a printer preference (for a shared network printer), how would it be applied to this particular user?  Maybe it's just the pending holidays are causing me to need a picture drawn!  Thanks for sticking with me on this because it does sound like you've got it worked out, so I appreciate your knowledge-sharing.
LVL 41

Accepted Solution

Adam Brown earned 500 total points
ID: 34190821
Basically, how this would work is to apply the Preference on both OUs, it will only apply on the OU that the preference is linked to if you are using the User Configuration preference, but you can then use targeting to determine which computers or IP addresses that the preference will apply on. Preferences are a little more intelligent about applying user configurations to specific computers. Basically, you can do it like this:

User Configuration Printer GPO - Configure printers for BOTH locations under User Configuration\Preferences\Control Panel\Printers- but configure Item Level Targeting to list the IP address range for site 1 on the Site 1 printer preference, and the range for site 2 on the Site 2 printer. Link that GPO to the OU for each site. When you do that, the users that are in the site 1 OU will get Printer 1 when they are logged on to a computer that has an IP address from the Site 1 range, and if they go to site 2, they will get the printer that is located at site 2, but not the one at site 1.

Computer Configuration Printer GPO - You would do the same as with the User Configuration GPO, but this would be linked to the OU with the computers in it. This option will give you significantly less control over the printers, since the Computer Configuration Printer Policy doesn't allow you to define the printer as the Default printer (User Configuration Preference will let you do this).

In either situation, you would create One GPO with settings for Both printers in it and allow the Item Level Targeting to control which computers or users are allowed to use which printers and where they can use them. You need only define a limiting factor for each printer. That can be anything you want, really, as long as the computers that they are allowed to use a specific printer for have that thing in common. That can be IP addresses, a list of MAC addresses (You can specify that the policy will only apply if the MAC address equals XX:XX:XX:XX:XX:XX *OR* ZZ:ZZ:ZZ:ZZ:ZZ:ZZ. The OR is important in that situation, because the default operator is AND when using multiple targeting policies. Since the computers won't have *both* MAC addresses, you would use the OR operator), or a Security group (You could configure the Targeting system to install both printers for each user, or group the computers at each location into a Security Group that is based on site and use that instead of IP addresses).

It all really depends on how your AD is set up.  
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Closing Comment

ID: 34190862
Thanks a bunch for spelling that out!  After reading your first paragraph, the light bulb FINALLY came on!!!  Obviously, this will work and meets my needs exactly, so going to go ahead and assign points, prior to testing.
Thanks again for your help!
LVL 41

Expert Comment

by:Adam Brown
ID: 34190895
As a note, you can even get more specific with Item Level Targeting, like having it so User A will have Printer A when logged in to Computer A, but Printer B when logged in to Computer B (And only that situation, so if User B logs in to Computer A, they could still have Printer B). The trick is just knowing that any time you want more than one thing to happen based on certain criteria, you need to have both things linked to the users that need it to happen and then let the Item Level targeting system deal with the constraints. It's really freaking powerful and is one of the best improvements in 2008 :D

Author Comment

ID: 34190958
Thanks for the additional information!  Believe me, I was quite excited when I came across it and then discovered that even though we still have some W2003 DC's, it would still work!  I agree, it has been a long time coming....that and the drive mappings with no batch scripts (yea!) have made my day(s)!!!  Happy Thanksgiving!

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question