Allowing printer redirection for a specific group on TS 2008 R2

I have a couple of Terminal Servers that used to allow printer redirection for all users. It was creating havoc for certain departments so I turned it off because 99% of the printers we have around are connected to the network. It turns out that I have 3 users that need the ability to print from home. Right now I have 'do not allow client printer redirection' enabled which has obviously disabled redirection for everyone.

I would like to allow these 3 particular users to redirect their home printers but I am coming up empty on searching. I have found the Configure Printer Redirection technet article that explains how to enable it on a per users basis via the Environment tab on the user, and I realize that I need to change the 'do not allow client printer redirection' policy in order to get that to work. Unfortunately it also looks like that is the default setting for new users.

I am kind of at a loss for what to do from here. I would like to use a Domain level GPO assigned to a printer redirection security group but I am not seeing a way to do that. Any help would be very much appreciated.
Chris ChristensenNetwork AdministratorAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Domain policies override local policies. When you are using computer based policies you can add the computer account to the Security Filtering section. I personally would create a security group and add all the machines that are required into it and apply it to the OU where they exists.

Using Loopback policy processing allow you to control what policies apply to users when they login to the machine in question. You said that this is a terminal server well loopback allows you to configure restrictions based on the server which override other polices that they may have outside of login into the terminal server.

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
All you need to do is enable the printer redirection policy and use the security filtering to select only the users you want to have this enabled for. If you want to apply this to the termainal server in question you could also Group Policy Loop Back Replace Mode to ensure that when users connect to the TS they will receive this policy. You can also use security filtering on the GPO to accomplish this.

Configure Printer Redirection GPO

Group Policy Loopback mode setup

Will.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Does it matter that the local GPO for each of the Terminal servers has already been configured to block redirection?
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Chris ChristensenNetwork AdministratorAuthor Commented:
Let me go through what I have done. I have set the local policies for printer redirection back to not configured. I have created a new OU and placed the Terminal Servers in there. I have created a linked GPO under the Terminal Server OU and have set the Disable Printer Redirection setting to enabled. Next I went in and Created a group called Printer Redirect and added the users to that group that need the ability to redirect their printers from home. I then went into the delegation tab on the new policy, added 'Printer Redirect' group and gave it 'allow' read and denied 'apply group policy'.

For some reason I am unable to deny this policy from applying to the printer redirect group. Is this because the policy is being applied to authenticated users?
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Just for fun I removed authenticated users and put domain users in there. Now the policy is not applying at all. I guess I am completely lost right now.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Will

I attempted setting up the GPO  and just setting the security filter to the 'Printer Redirect' and changing the Printer Redirection policy to allow printer redirection ( from computer config/admin templates/Windows components, Remote Desktop/Remote Session Host config). That is not working either.

I am a little confused by the loopback link you sent. What would be the point of doing that?
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
It looks as if applying the GPO settings to the Computer Config will not allow you to filter it out on a per user basis, by the looks of it I will need a separate TS that will allow redirection.

If anyone has any further suggestions they will be much appreciated.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
In running the gpresult it looks like that policy is being denied base on the Security filtering which does not make sense. The account I am logging in is a member of the group that this policy is being applied to.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Computer Policies are not based on the user account they are based on the computer account you are applying it to. When you use Authenticated Users this actually applies to computers as well.

I would try adding the computer accounts of the machines that you want this policy to apply to. So if you are logging into a terminal server you want the computer policies to apply to that machine. Thats why loopback processing is important because if there are policies that the user does not have applied loopback will enforce it on the server.

Will.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Just to clarify, you want me to try adding the machine accounts of the computers that I would like to allow printer redirection on?

Thanks
Chris
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Just tried adding the computer account of one of the machines and the gpresult is still showing that the policy access was denied.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Try looking at the local policy and seeing if it is being denied there. If it is change it. Domain Policies override local policies but in this case there may be some caching issues.

Check local policy secpol.msc

Will.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
From what I can see the domain policy is denying it. I think I am going to bring up another Terminal Server and allow printer redirection on that and just place our teleworking users on it.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Is it the default domain policy? What you can do for testing is use "Block Inheritance" on the OU where the machine is in.  This way you can test your theory before doing extra work.

Will.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
I have abandoned this as it would seem that the previous contractor that was in here has done some really bad stuff with Group policies, its a huge mess that I do not have time to clean up right now.
0
 
Chris ChristensenNetwork AdministratorAuthor Commented:
Marking this as the solution as it should have worked but I have some funny stuff happening that I do not have time to mess with right now
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.