Thin clients with roaming profiles missing GPO applied printers when connecting to RDS farm
Hi, I posted a question a month ago and while I received a response, things have improved and I want to provide a fresh synopsis in the hopes we've overlooked something simple.
Our environment: 8 RDS VMs running Microsoft Server 2012. They run in a farm that assigns a new server to HP thin clients when they disconnect and log in again (roaming profiles).
The RDS servers were cloned from a template server. About a month ago, a 2008 print server was retired and printers were exported off it using Print Management and imported into the new Windows Server 2012 R2 VM.
The 80 or so printers, mostly HP using the Universal printer driver, are deployed via Group Policy.
The policies are set up with Security filtering applying to the AD group, and both that group and Authenticated Users are listed under the Delegation tab.
The printers are added under User Configuration - Policies - Windows Settings - Printer Connections.
Additional information:
We have loopback enabled, but printer redirection disabled.
Behavior:
1. We were getting duplicates of the printers stacking on top of one another, where you right click on them. This has since stopped by putting in the value of “RemovePrintersAtLogoff” to 0 under the key HKLM\SOFTWARE\Microsoft\Wi
2. Now, every morning, people log into the farm and some people don't see their printers. It doesn't happen every day but it does happen. When gpresult /r is run, the group policies ARE showing up as applied.
We can go to these clients and manually add the printer with no issues, i.e. \\newprintserver\printerna
The method I have read that seems to clean things up a little is to run a Powershell script that cleans the registry on the RDS servers of all instances of the printer connections so they rebuild from scratch.
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SOFTWARE\Microsoft\Wi
This was taken from this article: https://community.spiceworks.com/topic/1601648-terminal-server-printing-pdf-s-server-2012-r2-adobe-reader-dc-group-policy
We've tested it on a server pulled out of rotation and it seems to be working, but as the article suggests running this once a week, it looks like we may be running this on all the RDS servers once a night if it works. The registries fill up very quickly with so many people using so many different printers. Testing this evening at 1:00am, and we would even be open to making the same changes to the cloning template and re-cloning the whole farm, as that would ensure all of the printer drivers on the template would be the exact same on each member of the farm.
So Experts, the questions are:
1. Are we missing or adding anything to this setup that would be interfering with the Group Policies being run correctly every morning? Does anyone else run an RDS environment in this manner and perform a certain best practice on their roaming profiles, the GPOs, etc?
2. What would cause the Group policies to be applied but not install the printer, when we can manually add them with no driver issues?
Thanks for any assistance you can provide.
Our environment: 8 RDS VMs running Microsoft Server 2012. They run in a farm that assigns a new server to HP thin clients when they disconnect and log in again (roaming profiles).
The RDS servers were cloned from a template server. About a month ago, a 2008 print server was retired and printers were exported off it using Print Management and imported into the new Windows Server 2012 R2 VM.
The 80 or so printers, mostly HP using the Universal printer driver, are deployed via Group Policy.
The policies are set up with Security filtering applying to the AD group, and both that group and Authenticated Users are listed under the Delegation tab.
The printers are added under User Configuration - Policies - Windows Settings - Printer Connections.
Additional information:
We have loopback enabled, but printer redirection disabled.
Behavior:
1. We were getting duplicates of the printers stacking on top of one another, where you right click on them. This has since stopped by putting in the value of “RemovePrintersAtLogoff” to 0 under the key HKLM\SOFTWARE\Microsoft\Wi
2. Now, every morning, people log into the farm and some people don't see their printers. It doesn't happen every day but it does happen. When gpresult /r is run, the group policies ARE showing up as applied.
We can go to these clients and manually add the printer with no issues, i.e. \\newprintserver\printerna
The method I have read that seems to clean things up a little is to run a Powershell script that cleans the registry on the RDS servers of all instances of the printer connections so they rebuild from scratch.
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
HKLM\SOFTWARE\Microsoft\Wi
This was taken from this article: https://community.spiceworks.com/topic/1601648-terminal-server-printing-pdf-s-server-2012-r2-adobe-reader-dc-group-policy
We've tested it on a server pulled out of rotation and it seems to be working, but as the article suggests running this once a week, it looks like we may be running this on all the RDS servers once a night if it works. The registries fill up very quickly with so many people using so many different printers. Testing this evening at 1:00am, and we would even be open to making the same changes to the cloning template and re-cloning the whole farm, as that would ensure all of the printer drivers on the template would be the exact same on each member of the farm.
So Experts, the questions are:
1. Are we missing or adding anything to this setup that would be interfering with the Group Policies being run correctly every morning? Does anyone else run an RDS environment in this manner and perform a certain best practice on their roaming profiles, the GPOs, etc?
2. What would cause the Group policies to be applied but not install the printer, when we can manually add them with no driver issues?
Thanks for any assistance you can provide.
ASKER
Thank you for the information. I'm going to attempt this--is it run only on the primary DCs or can I run on each individual RDS server?
I'm also going to delete any GPO pointing to the old print server if I can find it; I don't think we have any but it's possible!
I'm also going to delete any GPO pointing to the old print server if I can find it; I don't think we have any but it's possible!
the debug mus run at the RDS server(s)
https://support.microsoft.com/en-us/help/221833/how-to-enable-user-environment-debug-logging-in-retail-builds-of-windo
https://support.microsoft.com/en-us/help/221833/how-to-enable-user-environment-debug-logging-in-retail-builds-of-windo
ASKER
I've turned it on with a value of 1002 as noted in the article, and there is a ton of data here. I'm trying 1001 to see if it makes it more readable.
Can I assume the log will contain the username or the string time out/timeout so I can search for errors?
Can I assume the log will contain the username or the string time out/timeout so I can search for errors?
yes, you see the username and an ID for each logon-proccess.
ASKER
Got it. We've enabled logging on all of our RDS servers, and downloaded a program to read them from an external link I found:
http://www.sysprosoft.com/policyreporter.shtml
The next time we get a missing printer, we'll look at the RDS server they connected to and search under that timestamp.
I kept the value at 10002 for verbose so the utility would pick it up.
It would appear that the group policies may be stopping after a failure, but we have yet to see failures in the Event Viewer under Apps and Services / Microsoft / Windows / Group Policy / Operational For instance we had one user that did not get her printer applied, and when we crosschecked the policy ID in the logs it said it was applied.
http://www.sysprosoft.com/policyreporter.shtml
The next time we get a missing printer, we'll look at the RDS server they connected to and search under that timestamp.
I kept the value at 10002 for verbose so the utility would pick it up.
It would appear that the group policies may be stopping after a failure, but we have yet to see failures in the Event Viewer under Apps and Services / Microsoft / Windows / Group Policy / Operational For instance we had one user that did not get her printer applied, and when we crosschecked the policy ID in the logs it said it was applied.
ASKER
While we look for that data...
--We have the printer group policy objects at the root domain level. They are link enabled and not enforced.
--Under the root domain level is a container with all of our domain users so they get the policies and don't seem to have much trouble.
--Also under the root level is a container named "Terminal Servers", which also has the printer GPOs but the container is set to Block Inheritance. There are no printer GPOs in the Terminal Servers container.
--We do not have printer redirection enabled since we don't want people bringing home printers into their sessions when connected via the VPN
--We have loopback processing set to merge in domain policy.
--Only people connecting to the terminal servers have issues.
Wondering if this is the best way to apply the Group Policies if there's some mis-configuration behind the scenes causing this. We've seen people have printers disappear (and re-added manually just fine) which leads me to believe that it's a GP issue.
In your opinion is this set up correctly for our environment?
--We have the printer group policy objects at the root domain level. They are link enabled and not enforced.
--Under the root domain level is a container with all of our domain users so they get the policies and don't seem to have much trouble.
--Also under the root level is a container named "Terminal Servers", which also has the printer GPOs but the container is set to Block Inheritance. There are no printer GPOs in the Terminal Servers container.
--We do not have printer redirection enabled since we don't want people bringing home printers into their sessions when connected via the VPN
--We have loopback processing set to merge in domain policy.
--Only people connecting to the terminal servers have issues.
Wondering if this is the best way to apply the Group Policies if there's some mis-configuration behind the scenes causing this. We've seen people have printers disappear (and re-added manually just fine) which leads me to believe that it's a GP issue.
In your opinion is this set up correctly for our environment?
ASKER
Any thoughts? We're looking at the logs this morning, with three more people having their printers fail to install via GPO (but do when we type the share path to them).
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Sometimes (after PS connection attempt timing out) no more GPO's are applied.
Good way to check this: enable user logon debugging.
Within the logfile you should see problems with GPO's.