- Citrix
- Windows Server 2008
- Active Directory
Install printers using Group Policy in Server 2008 R2 under Citrix XenApp
Hi all,
I have a puzzle that I am hoping someone can help me with. I am trying to install printers to citrix users depending on which security group they belong to in AD.
Details:
I have created an OU called <Sitename> (Per site)
In each OU there are <Dept> OUs
In each <Dept> there are <user> accounts
I have also created a security group for each printer.
Each <user> may be a member of a domain security group such as 'SG_PRN_<printername>'
I have created a GPO for each security group above as follows:
Computer
- Policies
- - Windows Settings
- - - Security Settings
- - - - Local Policies/Security Options
- - - - - Devices
- - - - - - Policy - Devices: prevent users from installing printer drivers=disabled (I have also done this as part of the default domain policy to be sure it is being applied)
User
- Preferences
- - Control Panel Settings
- - -Printers
- - - - Shared Printer (Name: \\server\printername) [This is entered as the printer name]
- - - - - Printername (Order 1)
- - - - - - General
- - - - - - - Action = Replace
- - - - - - - Properties
- - - - - - - - Share path = \\server\printername
- - - - - - - - Set Default = True
- - - - - - - - Only if local printer not present = True
- - - - - - - - Local Port =
- - - - - - Common
- - - - - - - Options
- - - - - - - - Stop processing if error = No
- - - - - - - - Run in logged on users context = No
- - - - - - - - Remove when not applied = Yes
- - - - - - - Item Level Targetting
- - - - - - - - bool = AND
- - - - - - - - not = 0
- - - - - - - - name = domain\SG_PRN Security group
- - - - - - - - sid = the sid
- - - - - - - - userContext = 1
- - - - - - - - Primary Group = 0
- - - - - - - - Local Group = 0
The problem is no matter what level of user (Even administrator level users) I still don't have the printer installed.
According to what I have read that is all I need to do.
If anyone has any suggestions as to how to resolve this I would be very grateful.
I have a puzzle that I am hoping someone can help me with. I am trying to install printers to citrix users depending on which security group they belong to in AD.
Details:
I have created an OU called <Sitename> (Per site)
In each OU there are <Dept> OUs
In each <Dept> there are <user> accounts
I have also created a security group for each printer.
Each <user> may be a member of a domain security group such as 'SG_PRN_<printername>'
I have created a GPO for each security group above as follows:
Computer
- Policies
- - Windows Settings
- - - Security Settings
- - - - Local Policies/Security Options
- - - - - Devices
- - - - - - Policy - Devices: prevent users from installing printer drivers=disabled (I have also done this as part of the default domain policy to be sure it is being applied)
User
- Preferences
- - Control Panel Settings
- - -Printers
- - - - Shared Printer (Name: \\server\printername) [This is entered as the printer name]
- - - - - Printername (Order 1)
- - - - - - General
- - - - - - - Action = Replace
- - - - - - - Properties
- - - - - - - - Share path = \\server\printername
- - - - - - - - Set Default = True
- - - - - - - - Only if local printer not present = True
- - - - - - - - Local Port =
- - - - - - Common
- - - - - - - Options
- - - - - - - - Stop processing if error = No
- - - - - - - - Run in logged on users context = No
- - - - - - - - Remove when not applied = Yes
- - - - - - - Item Level Targetting
- - - - - - - - bool = AND
- - - - - - - - not = 0
- - - - - - - - name = domain\SG_PRN Security group
- - - - - - - - sid = the sid
- - - - - - - - userContext = 1
- - - - - - - - Primary Group = 0
- - - - - - - - Local Group = 0
The problem is no matter what level of user (Even administrator level users) I still don't have the printer installed.
According to what I have read that is all I need to do.
If anyone has any suggestions as to how to resolve this I would be very grateful.
If you have xp or 2003, then you may need to include pushprinterxxx.exe tool. Both the articles have a step-by-step approach with screenshot.
http://www.petri.co.il/deploying-printers-using-group-policy-windows-2008.htm
http://theintegrity.co.uk/2010/07/how-to-deploy-printers-with-group-policy-windows-server-2008-7-vista-xp/
http://www.petri.co.il/deploying-printers-using-group-policy-windows-2008.htm
http://theintegrity.co.uk/2010/07/how-to-deploy-printers-with-group-policy-windows-server-2008-7-vista-xp/
run rsop.msc or gpresult -r or the check within the gpmc to check if the policy are applied to the user/administrator.
sometimes i use the GPP to create the printers also. this should work.
mostly i use the citrix session printer-policy, works fine.
(the GPP-printer creation creates a big logon-delay if som printer or printserver are unavailable)
sometimes i use the GPP to create the printers also. this should work.
mostly i use the citrix session printer-policy, works fine.
(the GPP-printer creation creates a big logon-delay if som printer or printserver are unavailable)
To respond to Basraj reply.
If you have a Windows 7 Machine with RSAT installed and your XP machines have Client Side Extendsion you will be able to use GPP to push the printers out.
If you have a Windows 7 Machine with RSAT installed and your XP machines have Client Side Extendsion you will be able to use GPP to push the printers out.
Hi all,
Sorry I thought I had mentioned that I have Windows 7 clients running under Citrix.
The policies are getting to the clients as I have done a gpresult /r to confirm this.
I have a feeling it is something to do with permissions under Citrix but I don't know where to look for this.
@basraj - Can this be used on Windows 7 clients too?
@dkotte - Can you deploy printers to individuals based on their location (AD Group memberships) using Citrix session printer policy?
@yo_bee - The clients are Windows 7 (Some are thin clients and some connect using the Citrix client on a Windows XP or 7 PC or laptop). I will look into RSAT as I have never heard of this before.
I will update you all tomorrow if I get any further. Many thanks all of you.
Sorry I thought I had mentioned that I have Windows 7 clients running under Citrix.
The policies are getting to the clients as I have done a gpresult /r to confirm this.
I have a feeling it is something to do with permissions under Citrix but I don't know where to look for this.
@basraj - Can this be used on Windows 7 clients too?
@dkotte - Can you deploy printers to individuals based on their location (AD Group memberships) using Citrix session printer policy?
@yo_bee - The clients are Windows 7 (Some are thin clients and some connect using the Citrix client on a Windows XP or 7 PC or laptop). I will look into RSAT as I have never heard of this before.
I will update you all tomorrow if I get any further. Many thanks all of you.
if you get the issue as admin also, this should not be a permission problem.
...
yes the citrix printer policy can bound (filtred) to the ad-group
...
with RemoteServerAdminTools you can create a gpo from win7 intead a server.
the client-side extensions extend the XP and win2003 engine and add gpo features existing since win7.( printer creating, registry settings, and many more ... but runns less stable as the native win7 gpo engine)
...
yes the citrix printer policy can bound (filtred) to the ad-group
...
with RemoteServerAdminTools you can create a gpo from win7 intead a server.
the client-side extensions extend the XP and win2003 engine and add gpo features existing since win7.( printer creating, registry settings, and many more ... but runns less stable as the native win7 gpo engine)
You don't say whether you're using XenApp 6 or XenApp 6.5. In XenApp 6, there's a known bug that causes saving session printers policies to take forever. In an environment with a ton of printers, a gazillion session printers policies was just too painful.
So far as your computer policy, set Citrix policies to disallow other printer drivers, not the GPO.
Change your action to Update. It will process much faster and will create or replace as necessary.
Not quite sure why you're using Remove when not applied. Turn off?
Instead of using Item Level Targeting, set your GPO to use Security Filtering based on the group.
That should fix it. :)
So far as your computer policy, set Citrix policies to disallow other printer drivers, not the GPO.
Change your action to Update. It will process much faster and will create or replace as necessary.
Not quite sure why you're using Remove when not applied. Turn off?
Instead of using Item Level Targeting, set your GPO to use Security Filtering based on the group.
That should fix it. :)
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Folder Redirection on XenApp 6.5 on Server 2008 R2 -
![]()
wrote an Article
![]()
Pre Server 2016 Group Membership Expiration Tool
-
![]()
created a Video
![]()
Exchange 2019 - Re-create the exchange security groups in Active Directory
-
Explore Cloud Class® ![]()
70-642 R5 - Configuring Windows Server 2008 R2 Network Infrastructure
Premium Content
You need an Expert Office subscription to comment.Start Free Trial