[Webinar] Learn how to a build a cloud-first strategyRegister Now


Set up "Group" on Domain Controller and apply Policy to same "Group"

Posted on 2014-08-20
Medium Priority
Last Modified: 2015-01-18
We have two different servers acting as Application Servers in our domain.  Our end users access these servers via RDP.  We allow printer redirection.

Although the end user's "Devices and Printers" folder on their own computer may list 10 different printers, we've restricted the number of printers that will be recognized by the Application Servers to the end user's Default Printer.  We've done that by setting that parameter via:  

       Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

on both Application Servers.

However, we have a few end users who need to be able to print to ALL the printers listed in their local "Devices and Printers" folder.

I'm assuming that I must create a "Group" that would be excluded from the Application Servers setting described above.  I would place the end users who need to print to ALL printers in that group.

Does this group get created on the Application Servers or the Domain Controller?  Does this policy of exclusion get created via Group Policy on the Domain Controller?  Or, does all this happen on the Application Servers?  Does Group Policy on the Domain Controller override the settings already in place on the Application Servers?

I need help.  Please advise.
Question by:baleman2
  • 3
  • 3
LVL 18

Expert Comment

by:Andrej Pirman
ID: 40275155
Well, if you are talking about GROUP POLICY, then domain controllers are the central point of all group policy rules and objects in the domain. You can see and edit GROUP POLICY from other member servers, but hey...those are the same group policy objects and rules.

I hope you are NOT talking about LOCAL SECURITY POLICY, which you can find on each server! You can indeed place some rules in those, too, but those rules apply only to the particular server, so they are hard to controll and manage. Avoid those!

So, GROUP POLICIES are created automatically on ALL domain controllers.
You create them using Group Policy MMC, which you can find on all domain controllers.
ORGANIZING where to apply some group policy is done via Active directory Users and Computers MMC. There you set GROUPS and put COMPUTERS (or users) into. In your eaxmple:

Then you go to Group Policy MMC and create 2 different policies. One is with settings you described above, and another is with different settings.
When created, you put a LINK TO GROUP POLICY OBJECT into above mentioned 2 different user groups, so UNRESTRICTED group will have a link to unrestricted group policy, and RESTRICTED users group a link to restricted group policy.

Hope I explained in some understanding way :)

Author Comment

ID: 40276256
In our domain we provide connectivity to several different businesses to several different 3rd party software applications on several different servers.  Let's call those servers APP1, APP2, APP3, APP4, APP5, APP6.

The end users (who get authenticated by our Domain Controller as they login) and reach software ONLY on APP1 and APP2 are the ONLY end users who need the printer restrictions I mentioned above.  Therefore, thus far I've set the "Default Printer" restriction only on those 2 servers via the servers Local Policy:

  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

Out of a pool of 150 end users who use the software provided on APP1 and APP2, only 6 end users need to have that policy "relaxed" so that all the printers in their own "Devices and Printers" folder on their own client PC are available for printing.

If I create a Domain Policy, would it not affect all those other end users who reach their software on APP3, APP4, APP5, and APP6?  Those end users on the remaining 4 Application Servers need no printing restrictions of any kind.
LVL 18

Accepted Solution

Andrej Pirman earned 2000 total points
ID: 40278409
Hmmm.... I am not sure, which policy takes precedence, Local over Domain policy.
But you can try:
say you have users in ADUC (Active directory users and computers MMC) in a container. Those need-to-be-relaxed users are, let's say, in container "domain.local --> Users".
So what you need to test it out is to create a sub-container in this particluar container, where need-to-be-relaxed users are, then move those 6 users into the newly created container. So in our example:
- all users are in "domain.local --> Users" container
- those 6 specials are in "domain.local --> Users --> Relaxed" container

Until now, you did not change anything for any user, because all policies and rules from below still apply to those "Relaxed" container.

Now, go to Group Policy MMC and create "relaxed" Group Policy object with your rules to apply to those 6 users. Then make a LINK for this "realxed" policy into "Relaxed" container.

Reboot one of those 6 clients and see, if policy applies.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 40278622
Will try it this weekend.  End users will be off work and allow me to experiment.

Author Comment

ID: 40287183
Followed all instructions as suggested.  Policy did not allow ALL PRINTERS to be displayed for those 6 users.  Only the Default Printer in the end users Devices and Printers folder was displayed.
LVL 18

Expert Comment

by:Andrej Pirman
ID: 40306820
Did you double-check that those PRINTER policies are not overlapping?
If they are in structure one above the other, then you will get cumulative result, where you cannot un-set some option, which was already set in parent structure.
but if policies are in parallel, influencing each policy its own folder/OU, then results should be different, as you want.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question