Solved

Group Policy Preferences - TCP/IP Printer - permissions?

Posted on 2016-07-27
9
57 Views
Last Modified: 2016-07-27
If you deploy a TCP/IP printer to computers/users via Group Policy Preferences, how can you make it to where the computer or user still needs permission on the Access Control List of the printer in order to print to it?

Since the preference establishes a direct TCP/IP connection, and only references the shared printer's name on the printer server for the purposes of installing the driver, how do you thereafter continue to maintain security/compliance of who can print to that printer?

Does the "Security" tab on the Printer on the Windows print server have no bearing on whether a user/computer connected to the physical printer via TCP/IP via GPPrefs can print to it?
0
Comment
Question by:garryshape
  • 4
  • 4
9 Comments
 
LVL 9

Expert Comment

by:Shadowless127
ID: 41731331
I would create a seperate GPO for each printer and assign that GPO to a specific Security Group that has access to print to that printer.  IE Accounting Group can print to AccountingPrinter1, etc.  Obviously if you have more than 5 printers you're trying to manage on site, this could be a bit tedious.

The way I used to do it was I'd create a GPO for each department.  The GPO housed ONLY special policies I wanted deployed for that department such as network drives, printers, control panel items, etc.  Obviously your organization would have to be setup in a similar manner for this to work.
0
 
LVL 3

Assisted Solution

by:James Edwards
James Edwards earned 500 total points
ID: 41731357
There is absolutely no reason to have one GPO per printer, sorry Shadowless.  It would be an absolute nightmare to maintain and is not manageable as a business grows.  It simply does not scale well.

The way to do this is to deploy printers using Group Policy Preferences and TARGET them by Security Group.  I.E. if a user is a member of a particular security group, they get the printer because the GPO assigns it by targeting the preference to that group.  I recommend creating Security Groups purely for the purposes of targeting/assigning printers.  Maybe even with clear names such as SG_Printername where SG = security group.  You then simply add a user as a member of the group when you want them to get the printer.

In the manner described above, a user would not even have a printer present if you have not chosen to assign in to them by way of their group membership.  The security tab on the printer is then a moot point for all intents and purposes.

For what it's worth, I did this extensively with my last employer and have just done the exact same thing again with my new/current employer.
0
 

Author Comment

by:garryshape
ID: 41731411
Thanks for the feedback. I appreciate the added input here, which will help me reevaluate my current GPO.  

In terms of the "Security" tab, I guess what I'm getting at is, say I have a Human Resources printer.
Well I can deploy it to a security group or OU based on item level targetting, using GPPrefs.
But what if someone in sales gets the IP printer of the HR printer? I can't prevent them from printing to that printer I guess, if the "Security" tab of the printer's ACL is moot/irrelevant, can I?  
I guess the only way to achieve this, without resorting to deploying a "shared printer" connection, would be setting security/permissions on the Printer's web server security settings itself?
0
 
LVL 3

Assisted Solution

by:James Edwards
James Edwards earned 500 total points
ID: 41731444
You can do what you need on the Print Management MMC.  It's more than just a repository of printers for share paths.  You can set all of the settings such as paper types, tray selections, orientations etc., all of which get pushed to the client.  

You can also make use of the Security Tab at this point.  However, you may find difficulties in marrying up the security required between the tab and your GPO/GPP settings, not to mention the security of the GPO itself.  It will take some fiddling, tweaking and testing, but yes, you ca do what is required.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:garryshape
ID: 41731460
I guess I'm not understanding the relationship of the Print Management MMC settings, and the TCP/IP printer instance on somebody's Windows 7 computer.
If the printer is deployed via Preferences as TCP/IP printer, I could theoretically shutdown the printer server and that computer/user would still be able to print just fine, because it's not being filtered through the Print server (where security settings are set)
0
 
LVL 3

Assisted Solution

by:James Edwards
James Edwards earned 500 total points
ID: 41731471
Sorry, my misunderstanding.  I thought you were referring to the printer instance having a TCP/IP port in the properties of the printer but pushing it as a shared printer.

Which does raise the question of why you are not doing it like this?  Is there a particular reason that you want to deploy it as TCP/IP?  If you create the printer in Print Management with a TCP/IP port, then share it and list it in AD, then deploy using those share details, this would achieve everything you have described thus far.  Is something missing from the reasoning behind doing it any differently?
0
 

Author Comment

by:garryshape
ID: 41731479
I was deploying it via preferences as TCP/IP based on others' suggestions, in forums and on sites like deployhappiness.
For example spooling / cpu cycle is handled locally instead of all on the server by everyone.
Single point of failure if printing through the print server. For example server shuts down, or someone hoses up the print server spooler with a corrupt PDF or something for example...
I've also found that people at some point might change settings on the printer like a helpdesk person, which then changes the settings for everybody...
The only downside I see so far is this security issue, which isn't really an issue currently, I'm just trying to think ahead...
0
 
LVL 3

Accepted Solution

by:
James Edwards earned 500 total points
ID: 41731496
All fair comments/observations.  Those are indeed the main negatives.

I would suggest going with my earlier suggestion of pushing via GPO/GPP and using Security Groups to only assign to those you wish to have the printer (TCP/IP printer as per your original requirements), and then to address your concerns over people adding printers themselves that they shouldn't have, block them from doing so by GPO to prevent the adding of printers as per this link:

https://msdn.microsoft.com/en-gb/library/ms811680.aspx?f=255&MSPPError=-2147217396

It's the only way I can see you being able to meet the best of both worlds IMO.
0
 

Author Closing Comment

by:garryshape
ID: 41731501
Thank you I will experiment both ways.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now