Solved

Allowing printer redirection for a specific group on TS 2008 R2

Posted on 2015-02-02
16
89 Views
Last Modified: 2015-04-02
I have a couple of Terminal Servers that used to allow printer redirection for all users. It was creating havoc for certain departments so I turned it off because 99% of the printers we have around are connected to the network. It turns out that I have 3 users that need the ability to print from home. Right now I have 'do not allow client printer redirection' enabled which has obviously disabled redirection for everyone.

I would like to allow these 3 particular users to redirect their home printers but I am coming up empty on searching. I have found the Configure Printer Redirection technet article that explains how to enable it on a per users basis via the Environment tab on the user, and I realize that I need to change the 'do not allow client printer redirection' policy in order to get that to work. Unfortunately it also looks like that is the default setting for new users.

I am kind of at a loss for what to do from here. I would like to use a Domain level GPO assigned to a printer redirection security group but I am not seeing a way to do that. Any help would be very much appreciated.
0
Comment
Question by:Chris Christensen
  • 11
  • 5
16 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40585291
All you need to do is enable the printer redirection policy and use the security filtering to select only the users you want to have this enabled for. If you want to apply this to the termainal server in question you could also Group Policy Loop Back Replace Mode to ensure that when users connect to the TS they will receive this policy. You can also use security filtering on the GPO to accomplish this.

Configure Printer Redirection GPO

Group Policy Loopback mode setup

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40585319
Does it matter that the local GPO for each of the Terminal servers has already been configured to block redirection?
0
 

Author Comment

by:Chris Christensen
ID: 40585366
Let me go through what I have done. I have set the local policies for printer redirection back to not configured. I have created a new OU and placed the Terminal Servers in there. I have created a linked GPO under the Terminal Server OU and have set the Disable Printer Redirection setting to enabled. Next I went in and Created a group called Printer Redirect and added the users to that group that need the ability to redirect their printers from home. I then went into the delegation tab on the new policy, added 'Printer Redirect' group and gave it 'allow' read and denied 'apply group policy'.

For some reason I am unable to deny this policy from applying to the printer redirect group. Is this because the policy is being applied to authenticated users?
0
 

Author Comment

by:Chris Christensen
ID: 40585389
Just for fun I removed authenticated users and put domain users in there. Now the policy is not applying at all. I guess I am completely lost right now.
0
 

Author Comment

by:Chris Christensen
ID: 40586371
Will

I attempted setting up the GPO  and just setting the security filter to the 'Printer Redirect' and changing the Printer Redirection policy to allow printer redirection ( from computer config/admin templates/Windows components, Remote Desktop/Remote Session Host config). That is not working either.

I am a little confused by the loopback link you sent. What would be the point of doing that?
0
 

Author Comment

by:Chris Christensen
ID: 40586450
It looks as if applying the GPO settings to the Computer Config will not allow you to filter it out on a per user basis, by the looks of it I will need a separate TS that will allow redirection.

If anyone has any further suggestions they will be much appreciated.
0
 

Author Comment

by:Chris Christensen
ID: 40586492
In running the gpresult it looks like that policy is being denied base on the Security filtering which does not make sense. The account I am logging in is a member of the group that this policy is being applied to.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40586497
Domain policies override local policies. When you are using computer based policies you can add the computer account to the Security Filtering section. I personally would create a security group and add all the machines that are required into it and apply it to the OU where they exists.

Using Loopback policy processing allow you to control what policies apply to users when they login to the machine in question. You said that this is a terminal server well loopback allows you to configure restrictions based on the server which override other polices that they may have outside of login into the terminal server.

Will.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40586526
Computer Policies are not based on the user account they are based on the computer account you are applying it to. When you use Authenticated Users this actually applies to computers as well.

I would try adding the computer accounts of the machines that you want this policy to apply to. So if you are logging into a terminal server you want the computer policies to apply to that machine. Thats why loopback processing is important because if there are policies that the user does not have applied loopback will enforce it on the server.

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40586908
Just to clarify, you want me to try adding the machine accounts of the computers that I would like to allow printer redirection on?

Thanks
Chris
0
 

Author Comment

by:Chris Christensen
ID: 40586919
Just tried adding the computer account of one of the machines and the gpresult is still showing that the policy access was denied.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40586964
Try looking at the local policy and seeing if it is being denied there. If it is change it. Domain Policies override local policies but in this case there may be some caching issues.

Check local policy secpol.msc

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40594597
From what I can see the domain policy is denying it. I think I am going to bring up another Terminal Server and allow printer redirection on that and just place our teleworking users on it.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40594621
Is it the default domain policy? What you can do for testing is use "Block Inheritance" on the OU where the machine is in.  This way you can test your theory before doing extra work.

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40703783
I have abandoned this as it would seem that the previous contractor that was in here has done some really bad stuff with Group policies, its a huge mess that I do not have time to clean up right now.
0
 

Author Closing Comment

by:Chris Christensen
ID: 40703785
Marking this as the solution as it should have worked but I have some funny stuff happening that I do not have time to mess with right now
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now