• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1615
  • Last Modified:

Install printers using Group Policy in Server 2008 R2 under Citrix XenApp

Hi all,

I have a puzzle that I am hoping someone can help me with.  I am trying to install printers to citrix users depending on which security group they belong to in AD.

Details:

I have created an OU called <Sitename> (Per site)
In each OU there are <Dept> OUs
In each <Dept> there are <user> accounts

I have also created a security group for each printer.

Each <user> may be a member of a domain security group such as 'SG_PRN_<printername>'

I have created a GPO for each security group above as follows:

Computer
- Policies
- - Windows Settings
- - - Security Settings
- - - - Local Policies/Security Options
- - - - - Devices
- - - - - - Policy - Devices: prevent users from installing printer drivers=disabled (I have also done this as part of the default domain policy to be sure it is being applied)
User
- Preferences
- - Control Panel Settings
- - -Printers
- - - - Shared Printer (Name: \\server\printername) [This is entered as the printer name]
- - - - - Printername (Order 1)
- - - - - - General
- - - - - - - Action = Replace
- - - - - - - Properties
- - - - - - - - Share path = \\server\printername
- - - - - - - - Set Default = True
- - - - - - - - Only if local printer not present = True
- - - - - - - - Local Port =
- - - - - - Common
- - - - - - - Options
- - - - - - - - Stop processing if error = No
- - - - - - - - Run in logged on users context = No
- - - - - - - - Remove when not applied = Yes
- - - - - - - Item Level Targetting
- - - - - - - - bool = AND
- - - - - - - - not = 0
- - - - - - - - name = domain\SG_PRN Security group
- - - - - - - - sid = the sid
- - - - - - - - userContext = 1
- - - - - - - - Primary Group = 0
- - - - - - - - Local Group = 0

The problem is no matter what level of user (Even administrator level users) I still don't have the printer installed.

According to what I have read that is all I need to do.

If anyone has any suggestions as to how to resolve this I would be very grateful.
0
Howco
Asked:
Howco
1 Solution
 
basrajCommented:
If you have xp or 2003, then you may need to include pushprinterxxx.exe tool. Both the articles have a step-by-step approach with screenshot.

http://www.petri.co.il/deploying-printers-using-group-policy-windows-2008.htm
http://theintegrity.co.uk/2010/07/how-to-deploy-printers-with-group-policy-windows-server-2008-7-vista-xp/
0
 
Dirk KotteSECommented:
run rsop.msc or gpresult -r or the check within the gpmc to check if the policy are applied to the user/administrator.
sometimes i use the GPP to create the printers also. this should work.

mostly i use the citrix session printer-policy, works fine.
(the GPP-printer creation creates a big logon-delay if som printer or printserver are unavailable)
0
 
yo_beeDirector of ITCommented:
To respond to Basraj reply.
If you have a Windows 7 Machine with RSAT installed and your XP machines have Client Side Extendsion you will be able to use GPP to push the printers out.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
HowcoAuthor Commented:
Hi all,

Sorry I thought I had mentioned that I have Windows 7 clients running under Citrix.

The policies are getting to the clients as I have done a gpresult /r to confirm this.
I have a feeling it is something to do with permissions under Citrix but I don't know where to look for this.

@basraj - Can this be used on Windows 7 clients too?

@dkotte - Can you deploy printers to individuals based on their location (AD Group memberships) using Citrix session printer policy?

@yo_bee - The clients are Windows 7 (Some are thin clients and some connect using the Citrix client on a Windows XP or 7 PC or laptop).  I will look into RSAT as I have never heard of this before.

I will update you all tomorrow if I get any further.  Many thanks all of you.
0
 
Dirk KotteSECommented:
if you get the issue as admin also, this should not be a permission problem.
...
yes the  citrix printer policy can bound (filtred) to the ad-group
...
with RemoteServerAdminTools you can create a gpo from win7 intead a server.
the client-side extensions extend the XP and win2003  engine and add gpo features existing since win7.( printer creating, registry settings, and many more ... but runns less stable as the native win7 gpo engine)
0
 
joharderCommented:
You don't say whether you're using XenApp 6 or XenApp 6.5.   In XenApp 6, there's a known bug that causes saving session printers policies to take forever.  In an environment with a ton of printers, a gazillion session printers policies was just too painful.

So far as your computer policy, set Citrix policies to disallow other printer drivers, not the GPO.  

Change your action to Update.  It will process much faster and will create or replace as necessary.

Not quite sure why you're using Remove when not applied.  Turn off?

Instead of using Item Level Targeting, set your GPO to use Security Filtering based on the group.

That should fix it. :)
0
 
HowcoAuthor Commented:
Sorted.  Thanks for the info.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now