Set up "Group" on Domain Controller and apply Policy to same "Group"

Posted on 2014-08-20
Last Modified: 2015-01-18
We have two different servers acting as Application Servers in our domain.  Our end users access these servers via RDP.  We allow printer redirection.

Although the end user's "Devices and Printers" folder on their own computer may list 10 different printers, we've restricted the number of printers that will be recognized by the Application Servers to the end user's Default Printer.  We've done that by setting that parameter via:  

       Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

on both Application Servers.

However, we have a few end users who need to be able to print to ALL the printers listed in their local "Devices and Printers" folder.

I'm assuming that I must create a "Group" that would be excluded from the Application Servers setting described above.  I would place the end users who need to print to ALL printers in that group.

Does this group get created on the Application Servers or the Domain Controller?  Does this policy of exclusion get created via Group Policy on the Domain Controller?  Or, does all this happen on the Application Servers?  Does Group Policy on the Domain Controller override the settings already in place on the Application Servers?

I need help.  Please advise.
Question by:baleman2
    LVL 18

    Expert Comment

    by:Andrej Pirman
    Well, if you are talking about GROUP POLICY, then domain controllers are the central point of all group policy rules and objects in the domain. You can see and edit GROUP POLICY from other member servers, but hey...those are the same group policy objects and rules.

    I hope you are NOT talking about LOCAL SECURITY POLICY, which you can find on each server! You can indeed place some rules in those, too, but those rules apply only to the particular server, so they are hard to controll and manage. Avoid those!

    So, GROUP POLICIES are created automatically on ALL domain controllers.
    You create them using Group Policy MMC, which you can find on all domain controllers.
    ORGANIZING where to apply some group policy is done via Active directory Users and Computers MMC. There you set GROUPS and put COMPUTERS (or users) into. In your eaxmple:

    Then you go to Group Policy MMC and create 2 different policies. One is with settings you described above, and another is with different settings.
    When created, you put a LINK TO GROUP POLICY OBJECT into above mentioned 2 different user groups, so UNRESTRICTED group will have a link to unrestricted group policy, and RESTRICTED users group a link to restricted group policy.

    Hope I explained in some understanding way :)

    Author Comment

    In our domain we provide connectivity to several different businesses to several different 3rd party software applications on several different servers.  Let's call those servers APP1, APP2, APP3, APP4, APP5, APP6.

    The end users (who get authenticated by our Domain Controller as they login) and reach software ONLY on APP1 and APP2 are the ONLY end users who need the printer restrictions I mentioned above.  Therefore, thus far I've set the "Default Printer" restriction only on those 2 servers via the servers Local Policy:

      Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection

    Out of a pool of 150 end users who use the software provided on APP1 and APP2, only 6 end users need to have that policy "relaxed" so that all the printers in their own "Devices and Printers" folder on their own client PC are available for printing.

    If I create a Domain Policy, would it not affect all those other end users who reach their software on APP3, APP4, APP5, and APP6?  Those end users on the remaining 4 Application Servers need no printing restrictions of any kind.
    LVL 18

    Accepted Solution

    Hmmm.... I am not sure, which policy takes precedence, Local over Domain policy.
    But you can try:
    say you have users in ADUC (Active directory users and computers MMC) in a container. Those need-to-be-relaxed users are, let's say, in container "domain.local --> Users".
    So what you need to test it out is to create a sub-container in this particluar container, where need-to-be-relaxed users are, then move those 6 users into the newly created container. So in our example:
    - all users are in "domain.local --> Users" container
    - those 6 specials are in "domain.local --> Users --> Relaxed" container

    Until now, you did not change anything for any user, because all policies and rules from below still apply to those "Relaxed" container.

    Now, go to Group Policy MMC and create "relaxed" Group Policy object with your rules to apply to those 6 users. Then make a LINK for this "realxed" policy into "Relaxed" container.

    Reboot one of those 6 clients and see, if policy applies.

    Author Comment

    Will try it this weekend.  End users will be off work and allow me to experiment.

    Author Comment

    Followed all instructions as suggested.  Policy did not allow ALL PRINTERS to be displayed for those 6 users.  Only the Default Printer in the end users Devices and Printers folder was displayed.
    LVL 18

    Expert Comment

    by:Andrej Pirman
    Did you double-check that those PRINTER policies are not overlapping?
    If they are in structure one above the other, then you will get cumulative result, where you cannot un-set some option, which was already set in parent structure.
    but if policies are in parallel, influencing each policy its own folder/OU, then results should be different, as you want.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now