Problems deploying printers via GPO
Ok, so I've installed a print server and I've installed printers on it.
What I want to be able to do now is to deploy a certain printer to a certain group of people. And I'm getting confused between using 'deploy printer' on the print server and the settings under GPO > user configuration> preferences > control panel settings > printers ...
I've got a 'Users: Printers' GP applied to my users OU. And when I deploy the printer to that OU then everyone in the OU will have the printer installed. And that works. BUT I only want a subset of those users to get this specific printer. That's why I've created a security group for this. But it seems like I can use that item-level targeting only with the 'user configuration' option in the GP!?
I've tried Step 4 in this article but the deployed printer is NOT visible under user configuration> preferences > control panel settings > printers so I can't configure the item-level targeting for it!? The deployed printer is only visible under user configuration > policies > Windows settings > deployed printers.
So what am I missing or misunderstanding!? Thanks!
What I want to be able to do now is to deploy a certain printer to a certain group of people. And I'm getting confused between using 'deploy printer' on the print server and the settings under GPO > user configuration> preferences > control panel settings > printers ...
I've got a 'Users: Printers' GP applied to my users OU. And when I deploy the printer to that OU then everyone in the OU will have the printer installed. And that works. BUT I only want a subset of those users to get this specific printer. That's why I've created a security group for this. But it seems like I can use that item-level targeting only with the 'user configuration' option in the GP!?
I've tried Step 4 in this article but the deployed printer is NOT visible under user configuration> preferences > control panel settings > printers so I can't configure the item-level targeting for it!? The deployed printer is only visible under user configuration > policies > Windows settings > deployed printers.
So what am I missing or misunderstanding!? Thanks!
ASKER
Another update:
It really seems like the Group Policy is totally ignoring the 'item-level targeting' part ...
Inside of the GP that's being applied to the Users OU I've added this 'delete all' action under uc > preferences > control panel settings > printers and I've activated the 'item-level targeting' so this rule will only be applied to the users of a certain security group.
Then, using my test user, I've connected to a network printer. It gets displayed and works fine. I've then forced a gpupdate with the result that network printer vanishes! EVEN THOUGH that test user is not in that security group!? That test user is part of the Users OU though on which the Group Policy is being applied to. But that's not how it is supposed to work, right!?
It really seems like the Group Policy is totally ignoring the 'item-level targeting' part ...
Inside of the GP that's being applied to the Users OU I've added this 'delete all' action under uc > preferences > control panel settings > printers and I've activated the 'item-level targeting' so this rule will only be applied to the users of a certain security group.
Then, using my test user, I've connected to a network printer. It gets displayed and works fine. I've then forced a gpupdate with the result that network printer vanishes! EVEN THOUGH that test user is not in that security group!? That test user is part of the Users OU though on which the Group Policy is being applied to. But that's not how it is supposed to work, right!?
ASKER
Ok, here's something weird:
When doing, under the login of the test user, a 'whois /groups' then that security group is displayed as a result ... I assume that means the test user is a member of it?
But when doing 'Get-ADPrincipalGroupMembe
When doing, under the login of the test user, a 'whois /groups' then that security group is displayed as a result ... I assume that means the test user is a member of it?
But when doing 'Get-ADPrincipalGroupMembe
ASKER
Ah, wait, group memberships only change after logging out and in again, right? D'oh ...........
You are using security filters based on groups be sure that you add authenticated users to have "READ" permission to the group.
A few years back MS changed the way it is applied and if you assign a group you should also add the read permission so that it will apply correctly to the group.
REF:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
A few years back MS changed the way it is applied and if you assign a group you should also add the read permission so that it will apply correctly to the group.
REF:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So I've 'undeployed' that printer on the print server. Logically it has therefore also disappeared from uc > policies > Windows settings > deployed printers.
Instead I have added that printer as a shared printer under uc > preferences > control panel settings > printers (with action 'update'). It now gets displayed as well. So far, so good. I've then enabled the 'item-level targeting' and I've selected the security group I've created (which my test user is a member of). But it seems like the item-level targeting is not really working because when I remove my user from that security group then the printer does not disappear! Actually, it even gets recreated after first applying an 'delete all (printer connections)' action ... this is driving me crazy!?