none
Group Policy Printer OU department propagation.

    Question

  • Quick question which I am sure a bunch of you can answer right away. This is in regards to Printer GPO's and propagation down through different OU's. I will attach a picture so you can see what I am talking about and how I should go about making sure this is setup correctly.


    You can see each Printer GPO which deploys a printerserver/printer to each department. I have enforced them for testing purposes. Now is there a way to exclude each printer GPO from mapping the printer above it. SO if you look at the shipping print share it will also add them to the converters OU and the Desktop OU. SO everyone in that department will get all the printers above it. I want each printer OU to only map to the department? What is best practice here? Do I need to change the OU structure so that each OU is not a part of a higher OU or setup a delete printer under each sub Printer GPO.

    I have read so much online and found nothing really related to this particular issue. Any links or advice would be awesome. As always thank you.

    Regards,

    Jeremy


    Knowledge is power.

    Thursday, June 06, 2013 12:40 AM

Answers

  • I think I'd just create one master Group Policy for all those printer settings and use Item-Level Targetting with OU Target to control which OU gets which printer in the policy: http://technet.microsoft.com/en-us/library/cc770424.aspx

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Monday, June 17, 2013 6:37 PM
    Thursday, June 06, 2013 1:47 AM
  •  
    >
    >
     
    Link the "Operations user" GPO directly to each OU where needed, and not
    at the top level. Or do Item Level Targeting in GPP Printers instead.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, June 07, 2013 11:16 AM
  • It's standard "and" / "or" terminology:  So if ILT setting A is "Member of XX OU" and ILT setting B is "Member of AD Group YY", the "OR" option says as long is either of those settings is true, apply the Group Policy item.  If the "AND" option is used, then the user / computer would need to be both a member of XX OU and AD Group YY.  Since there are many different types of Item-level Targeting, you can get pretty complex with when a Policy Item should be applied and when it shouldn't.  You can read about them all here: http://technet.microsoft.com/en-us/library/cc733022.aspx

    For the bonus question: if you have a Group Policy assigned to the OU and the user is a member of that OU (or gets the Group Policy Object through some other link), but the Printer Policy Item has Item-Level Targeting matched specific to that user, then it would only map for that particular user, yes.  I guess I'm warning that if you configure an Item-Level Target, but don't link it to an OU that the user or machine would have access to the Group Policy, then even if they meet the ILT, since the GPO was never applied to them, it wouldn't be configured (regardless of the ILT being true).


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Monday, June 17, 2013 10:03 PM
    Monday, June 17, 2013 8:14 PM
  • Getting close. : )

    • If your "Printer" GPO is linked at Operations OU, than it will be inherited by Assembly OU and Facilities OU (and any other child OU) as long as the child OU isn't specifically blocking inheritance.
    • In your "Printer" GPO, I'm assuming you have "Printer A (for Assembly OU)", "Printer B (for Facilities OU)", and "Printer C (for Assemly & Facilities OU)".  [names as example only].
    • On the "Printer A" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer B" Policy Item, you'd set the Item Level Targeting to be "User is in Facilities OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer C" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU" OR "User is in Facilities OU".  (OR conditional is needed since we now have a few matching criteria).
    • User in Assembly will process "Printer" GPO, but will only implement "Printer A" and "Printer C" due to ILT, but will skip "Printer B".
    • User in Facilities will process "Printer" GPO, but will only implement "Printer B" and "Printer C" due to ILT, and will skip "Printer B".

    Repeat as necessary.  That make it a little clearer?  If you also have users in the root Operations OU and want someone in the root and Assembly OU to get the Printer, you'd set it using the OR conditional like "Printer C" example.  An example of the AND conditional would be that you only want users in Assembly OU to get the Printer and they ALSO must be a member of an AD Group (like Executive Printers Club).  Then both would need to be true for them to get that specific printer.


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Tuesday, June 18, 2013 6:49 PM
    Monday, June 17, 2013 10:19 PM

All replies

  • I think I'd just create one master Group Policy for all those printer settings and use Item-Level Targetting with OU Target to control which OU gets which printer in the policy: http://technet.microsoft.com/en-us/library/cc770424.aspx

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Monday, June 17, 2013 6:37 PM
    Thursday, June 06, 2013 1:47 AM
  •  
    >
    >
     
    Link the "Operations user" GPO directly to each OU where needed, and not
    at the top level. Or do Item Level Targeting in GPP Printers instead.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, June 07, 2013 11:16 AM
  • Thank you so much for the reply. So I will make one printer Policy for all the printers then target each printer to the OU group? Currently these are mapped to target users when they log on. Sense all the printers run through a windows 2008 RC2 print server.

    Thank you

    Jeremy


    Knowledge is power.

    Friday, June 07, 2013 4:59 PM
  • Yes, your single printer policy would include an entry for each printer you want configured.  But on each printer entry you'd configure the Item-Level Targeting to specify which OU that printer supports.  Everyone would get the whole policy, but would only apply the printer objects that they meet the OU membership for.  When you do the targeting, you'll probably also want to check the 'Direct member only' so that only the exact OU will be a match, not inherited membership.

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Saturday, June 08, 2013 5:45 AM
  • Thank you I started creating one GPO using level-targeting but I have one more question. If I add a targeted user and OU to a printer will it apply to that user and the OU? Will it apply to a user that is outside the OU or only in the OU at the root were it will sit. Or if I apply a printer and target only one user will it target just that user when it is applied?

    Jeremy


    Knowledge is power.

    Friday, June 14, 2013 9:45 PM
  • Also anyone know why I have doubles in OU's?


    Knowledge is power.

    Friday, June 14, 2013 10:27 PM
  •  
    > Also anyone know why I have doubles in OU's?
    >
    > ------------------------------------------------------------------------
    >
    > Knowledge is power.
    >
     
    Because you created them?
     
    Because this is only a list of OUs where the GPO is linked (or whatever
    assistant this screen shot was taken from...). And it only displays the
    OU name, not the DN. If you have multiple "Executive" OUs (located below
    different parent OUs, of course) - why not?
     
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, June 14, 2013 10:43 PM
  • Thank you I started creating one GPO using level-targeting but I have one more question. If I add a targeted user and OU to a printer will it apply to that user and the OU? Will it apply to a user that is outside the OU or only in the OU at the root were it will sit. Or if I apply a printer and target only one user will it target just that user when it is applied?

    It depends on how you set it up.  When you create multiple targeting items, you'll get the chance to use logical operation (And or Or) under Item Options menu to combine them with the results as you desire.

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Saturday, June 15, 2013 6:57 AM
  • Martin,

    I am sorry I should have shown a larger picture. That picture is when I am choosing an OU to do Item-level targeting to a printer. In AD there is only one OU. I was just curious why when I go to targeting editor and choose new item> organizational unit it shows double of many of the OU's? Doesn't seem to matter which one I choose they have the same link and location.

    Regards,

    Jeremy 


    Knowledge is power.

    Monday, June 17, 2013 6:37 PM
  • DctheGeek,

    Thank you for your help. I just have one more quick question so I understand logical operation correctly. 

    "And" just means in addition to target this group/user etc.

    "Or" is the one I don't really get I guess maybe it goes by whatever is higher in the list? Or it will choose based on like a User or a OU?

    I lied one more question!! If I have a printer and it item-level targets a user in an OU. It will only map the printer to that user correct?

    Thanks again. I will be done bothering you guys now :)

    -J


    Knowledge is power.

    Monday, June 17, 2013 7:00 PM
  • It's standard "and" / "or" terminology:  So if ILT setting A is "Member of XX OU" and ILT setting B is "Member of AD Group YY", the "OR" option says as long is either of those settings is true, apply the Group Policy item.  If the "AND" option is used, then the user / computer would need to be both a member of XX OU and AD Group YY.  Since there are many different types of Item-level Targeting, you can get pretty complex with when a Policy Item should be applied and when it shouldn't.  You can read about them all here: http://technet.microsoft.com/en-us/library/cc733022.aspx

    For the bonus question: if you have a Group Policy assigned to the OU and the user is a member of that OU (or gets the Group Policy Object through some other link), but the Printer Policy Item has Item-Level Targeting matched specific to that user, then it would only map for that particular user, yes.  I guess I'm warning that if you configure an Item-Level Target, but don't link it to an OU that the user or machine would have access to the Group Policy, then even if they meet the ILT, since the GPO was never applied to them, it wouldn't be configured (regardless of the ILT being true).


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Monday, June 17, 2013 10:03 PM
    Monday, June 17, 2013 8:14 PM
  • Ok that makes sense. So if the user or OU is outside of the Linked GPO or needs to be used? I made a quick Visio, let me know if that is correct. 

    Thanks again DC!!


    Knowledge is power.

    Monday, June 17, 2013 10:03 PM
  • Getting close. : )

    • If your "Printer" GPO is linked at Operations OU, than it will be inherited by Assembly OU and Facilities OU (and any other child OU) as long as the child OU isn't specifically blocking inheritance.
    • In your "Printer" GPO, I'm assuming you have "Printer A (for Assembly OU)", "Printer B (for Facilities OU)", and "Printer C (for Assemly & Facilities OU)".  [names as example only].
    • On the "Printer A" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer B" Policy Item, you'd set the Item Level Targeting to be "User is in Facilities OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer C" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU" OR "User is in Facilities OU".  (OR conditional is needed since we now have a few matching criteria).
    • User in Assembly will process "Printer" GPO, but will only implement "Printer A" and "Printer C" due to ILT, but will skip "Printer B".
    • User in Facilities will process "Printer" GPO, but will only implement "Printer B" and "Printer C" due to ILT, and will skip "Printer B".

    Repeat as necessary.  That make it a little clearer?  If you also have users in the root Operations OU and want someone in the root and Assembly OU to get the Printer, you'd set it using the OR conditional like "Printer C" example.  An example of the AND conditional would be that you only want users in Assembly OU to get the Printer and they ALSO must be a member of an AD Group (like Executive Printers Club).  Then both would need to be true for them to get that specific printer.


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marked as answer by Sevensins Tuesday, June 18, 2013 6:49 PM
    Monday, June 17, 2013 10:19 PM
  • Ok, I think I am starting to get it. If you look at first picture I posted you can see what I am trying to change. I took all those GPO's and made one at the Operations level that ILT's about 7 OU's below and Users. I was under the impression that if I have the Printer A ILT a OU with "direct member only" checked and "user in OU" bubbled it will only map Printer A to the users in that OU and no one else in the tree?

    So I want Printer A to target OU Assembly, A user in Facilities and the OU Shipping. But I don't want it to map to any other OU's in the tree below Operations. 

    So I set it as such.

    Printer A ILT OU Assembly (Direct member only) (User in OU)
    "OR" the user is johnm (SID Match)
    "OR" OU Shipping (Direct member only) (User in OU)

    Will every user in Assembly get Printer A?
    Will the user johnm who is in Facilities get Printer A and no other user?
    Will every user in Shipping get Printer A?

    So I would use "AND if the OU/User is in the same AD group? When you say AD group do you mean any group in the domain or like the Assembly AD group? In this domain all computers are in there own AD group and users are all in there AD group with department categories.


    Knowledge is power.

    Monday, June 17, 2013 11:29 PM
  • For the first three questions, the answer is yes! : )

    The users in those OUs will see the GPO and process it (because they inherit it from Operations), but won't apply the setting because they fail the ILT condition.  The AND is just to make it meet BOTH conditions, not EITHER condition.  My example was of an AD User / Computer group.  Assembly is on OU, not a group.  Another example of an AND might be "OU Assembly (Direct member only)" AND "IP Range = 192.168.1.0-192.168.1.200".  In this example, the user would have to be both in the correct OU and also have an IP in the range.  If they were remote (DirectAccess, VPN, etc), they wouldn't meet the IP Range requirement and wouldn't get the printer.  You can mix and match a LOT of the conditionals to ensure only those who should get something (per all the requirements) to get it set.  It's pretty powerful, really (specially when you delve into the WMI query stuff).


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Tuesday, June 18, 2013 1:46 AM
  • DC,

    You have been most helpful and I thank you for your time. I just started playing with WMI, it is amazing what you can do with it. So the way I am using or would be correct I assume?


    Knowledge is power.

    Tuesday, June 18, 2013 7:07 PM
  • Getting close. : )

    • If your "Printer" GPO is linked at Operations OU, than it will be inherited by Assembly OU and Facilities OU (and any other child OU) as long as the child OU isn't specifically blocking inheritance.
    • In your "Printer" GPO, I'm assuming you have "Printer A (for Assembly OU)", "Printer B (for Facilities OU)", and "Printer C (for Assemly & Facilities OU)".  [names as example only].
    • On the "Printer A" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer B" Policy Item, you'd set the Item Level Targeting to be "User is in Facilities OU".  (No need for and / or conditionals since you are only setting one condition).
    • On the "Printer C" Policy Item, you'd set the Item Level Targeting to be "User is in Assembly OU" OR "User is in Facilities OU".  (OR conditional is needed since we now have a few matching criteria).
    • User in Assembly will process "Printer" GPO, but will only implement "Printer A" and "Printer C" due to ILT, but will skip "Printer B".
    • User in Facilities will process "Printer" GPO, but will only implement "Printer B" and "Printer C" due to ILT, and will skip "Printer B".

    Repeat as necessary.  That make it a little clearer?  If you also have users in the root Operations OU and want someone in the root and Assembly OU to get the Printer, you'd set it using the OR conditional like "Printer C" example.  An example of the AND conditional would be that you only want users in Assembly OU to get the Printer and they ALSO must be a member of an AD Group (like Executive Printers Club).  Then both would need to be true for them to get that specific printer.


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Just one thing i think you meant on this line 

    • User in Facilities will process "Printer" GPO, but will only implement "Printer B" and "Printer C" due to ILT, and will skip "Printer B". Printer A not B?


    Knowledge is power.

    Tuesday, June 18, 2013 7:58 PM
  • Yes... it should have been skip "Printer A". : )

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Tuesday, June 18, 2013 8:10 PM
  • That's not an issue with ILT - ILT just uses the Default object picker that das.msc uses, too... So there has to be an issue in your Environment resulting in this duplicate Display. Whatever it might be...


    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Tuesday, June 18, 2013 8:41 PM
  • That's not an issue with ILT - ILT just uses the Default object picker that das.msc uses, too... So there has to be an issue in your Environment resulting in this duplicate Display. Whatever it might be...


    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    I figured it out one is the Computers OU and one is the Users OU. The here AD separates the user accounts from the computers. I am still learning this environment here. :) Thank you for the reply.

    Knowledge is power.

    Tuesday, June 18, 2013 10:10 PM