Set up "Group" on Domain Controller and apply Policy to same "Group"

We have two different servers acting as Application Servers in our domain.  Our end users access these servers via RDP.  We allow printer redirection.

Although the end user's "Devices and Printers" folder on their own computer may list 10 different printers, we've restricted the number of printers that will be recognized by the Application Servers to the end user's Default Printer.  We've done that by setting that parameter via:  

       Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

on both Application Servers.

However, we have a few end users who need to be able to print to ALL the printers listed in their local "Devices and Printers" folder.

I'm assuming that I must create a "Group" that would be excluded from the Application Servers setting described above.  I would place the end users who need to print to ALL printers in that group.

Does this group get created on the Application Servers or the Domain Controller?  Does this policy of exclusion get created via Group Policy on the Domain Controller?  Or, does all this happen on the Application Servers?  Does Group Policy on the Domain Controller override the settings already in place on the Application Servers?

I need help.  Please advise.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
Well, if you are talking about GROUP POLICY, then domain controllers are the central point of all group policy rules and objects in the domain. You can see and edit GROUP POLICY from other member servers, but hey...those are the same group policy objects and rules.

I hope you are NOT talking about LOCAL SECURITY POLICY, which you can find on each server! You can indeed place some rules in those, too, but those rules apply only to the particular server, so they are hard to controll and manage. Avoid those!

So, GROUP POLICIES are created automatically on ALL domain controllers.
You create them using Group Policy MMC, which you can find on all domain controllers.
ORGANIZING where to apply some group policy is done via Active directory Users and Computers MMC. There you set GROUPS and put COMPUTERS (or users) into. In your eaxmple:

Then you go to Group Policy MMC and create 2 different policies. One is with settings you described above, and another is with different settings.
When created, you put a LINK TO GROUP POLICY OBJECT into above mentioned 2 different user groups, so UNRESTRICTED group will have a link to unrestricted group policy, and RESTRICTED users group a link to restricted group policy.

Hope I explained in some understanding way :)
baleman2Author Commented:
In our domain we provide connectivity to several different businesses to several different 3rd party software applications on several different servers.  Let's call those servers APP1, APP2, APP3, APP4, APP5, APP6.

The end users (who get authenticated by our Domain Controller as they login) and reach software ONLY on APP1 and APP2 are the ONLY end users who need the printer restrictions I mentioned above.  Therefore, thus far I've set the "Default Printer" restriction only on those 2 servers via the servers Local Policy:

  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

Out of a pool of 150 end users who use the software provided on APP1 and APP2, only 6 end users need to have that policy "relaxed" so that all the printers in their own "Devices and Printers" folder on their own client PC are available for printing.

If I create a Domain Policy, would it not affect all those other end users who reach their software on APP3, APP4, APP5, and APP6?  Those end users on the remaining 4 Application Servers need no printing restrictions of any kind.
Andrej PirmanCommented:
Hmmm.... I am not sure, which policy takes precedence, Local over Domain policy.
But you can try:
say you have users in ADUC (Active directory users and computers MMC) in a container. Those need-to-be-relaxed users are, let's say, in container "domain.local --> Users".
So what you need to test it out is to create a sub-container in this particluar container, where need-to-be-relaxed users are, then move those 6 users into the newly created container. So in our example:
- all users are in "domain.local --> Users" container
- those 6 specials are in "domain.local --> Users --> Relaxed" container

Until now, you did not change anything for any user, because all policies and rules from below still apply to those "Relaxed" container.

Now, go to Group Policy MMC and create "relaxed" Group Policy object with your rules to apply to those 6 users. Then make a LINK for this "realxed" policy into "Relaxed" container.

Reboot one of those 6 clients and see, if policy applies.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

baleman2Author Commented:
Will try it this weekend.  End users will be off work and allow me to experiment.
baleman2Author Commented:
Followed all instructions as suggested.  Policy did not allow ALL PRINTERS to be displayed for those 6 users.  Only the Default Printer in the end users Devices and Printers folder was displayed.
Andrej PirmanCommented:
Did you double-check that those PRINTER policies are not overlapping?
If they are in structure one above the other, then you will get cumulative result, where you cannot un-set some option, which was already set in parent structure.
but if policies are in parallel, influencing each policy its own folder/OU, then results should be different, as you want.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.