Solved

Allowing printer redirection for a specific group on TS 2008 R2

Posted on 2015-02-02
16
102 Views
Last Modified: 2015-04-02
I have a couple of Terminal Servers that used to allow printer redirection for all users. It was creating havoc for certain departments so I turned it off because 99% of the printers we have around are connected to the network. It turns out that I have 3 users that need the ability to print from home. Right now I have 'do not allow client printer redirection' enabled which has obviously disabled redirection for everyone.

I would like to allow these 3 particular users to redirect their home printers but I am coming up empty on searching. I have found the Configure Printer Redirection technet article that explains how to enable it on a per users basis via the Environment tab on the user, and I realize that I need to change the 'do not allow client printer redirection' policy in order to get that to work. Unfortunately it also looks like that is the default setting for new users.

I am kind of at a loss for what to do from here. I would like to use a Domain level GPO assigned to a printer redirection security group but I am not seeing a way to do that. Any help would be very much appreciated.
0
Comment
Question by:Chris Christensen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
16 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40585291
All you need to do is enable the printer redirection policy and use the security filtering to select only the users you want to have this enabled for. If you want to apply this to the termainal server in question you could also Group Policy Loop Back Replace Mode to ensure that when users connect to the TS they will receive this policy. You can also use security filtering on the GPO to accomplish this.

Configure Printer Redirection GPO

Group Policy Loopback mode setup

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40585319
Does it matter that the local GPO for each of the Terminal servers has already been configured to block redirection?
0
 

Author Comment

by:Chris Christensen
ID: 40585366
Let me go through what I have done. I have set the local policies for printer redirection back to not configured. I have created a new OU and placed the Terminal Servers in there. I have created a linked GPO under the Terminal Server OU and have set the Disable Printer Redirection setting to enabled. Next I went in and Created a group called Printer Redirect and added the users to that group that need the ability to redirect their printers from home. I then went into the delegation tab on the new policy, added 'Printer Redirect' group and gave it 'allow' read and denied 'apply group policy'.

For some reason I am unable to deny this policy from applying to the printer redirect group. Is this because the policy is being applied to authenticated users?
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:Chris Christensen
ID: 40585389
Just for fun I removed authenticated users and put domain users in there. Now the policy is not applying at all. I guess I am completely lost right now.
0
 

Author Comment

by:Chris Christensen
ID: 40586371
Will

I attempted setting up the GPO  and just setting the security filter to the 'Printer Redirect' and changing the Printer Redirection policy to allow printer redirection ( from computer config/admin templates/Windows components, Remote Desktop/Remote Session Host config). That is not working either.

I am a little confused by the loopback link you sent. What would be the point of doing that?
0
 

Author Comment

by:Chris Christensen
ID: 40586450
It looks as if applying the GPO settings to the Computer Config will not allow you to filter it out on a per user basis, by the looks of it I will need a separate TS that will allow redirection.

If anyone has any further suggestions they will be much appreciated.
0
 

Author Comment

by:Chris Christensen
ID: 40586492
In running the gpresult it looks like that policy is being denied base on the Security filtering which does not make sense. The account I am logging in is a member of the group that this policy is being applied to.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40586497
Domain policies override local policies. When you are using computer based policies you can add the computer account to the Security Filtering section. I personally would create a security group and add all the machines that are required into it and apply it to the OU where they exists.

Using Loopback policy processing allow you to control what policies apply to users when they login to the machine in question. You said that this is a terminal server well loopback allows you to configure restrictions based on the server which override other polices that they may have outside of login into the terminal server.

Will.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40586526
Computer Policies are not based on the user account they are based on the computer account you are applying it to. When you use Authenticated Users this actually applies to computers as well.

I would try adding the computer accounts of the machines that you want this policy to apply to. So if you are logging into a terminal server you want the computer policies to apply to that machine. Thats why loopback processing is important because if there are policies that the user does not have applied loopback will enforce it on the server.

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40586908
Just to clarify, you want me to try adding the machine accounts of the computers that I would like to allow printer redirection on?

Thanks
Chris
0
 

Author Comment

by:Chris Christensen
ID: 40586919
Just tried adding the computer account of one of the machines and the gpresult is still showing that the policy access was denied.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40586964
Try looking at the local policy and seeing if it is being denied there. If it is change it. Domain Policies override local policies but in this case there may be some caching issues.

Check local policy secpol.msc

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40594597
From what I can see the domain policy is denying it. I think I am going to bring up another Terminal Server and allow printer redirection on that and just place our teleworking users on it.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40594621
Is it the default domain policy? What you can do for testing is use "Block Inheritance" on the OU where the machine is in.  This way you can test your theory before doing extra work.

Will.
0
 

Author Comment

by:Chris Christensen
ID: 40703783
I have abandoned this as it would seem that the previous contractor that was in here has done some really bad stuff with Group policies, its a huge mess that I do not have time to clean up right now.
0
 

Author Closing Comment

by:Chris Christensen
ID: 40703785
Marking this as the solution as it should have worked but I have some funny stuff happening that I do not have time to mess with right now
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question