none
Deploy multiple printers with group policy preferences with one policy

    Question

  • I am having trouble with deploying printers with GPP. I have 40 Printers that need to be deployed to different users. Only certain users need certain printers.

    I've got a GPO setup with user printer preferences and a list of 5 printers for testing. Each of those printers I have targeted to security groups for each printer. My test users are added to the various security groups.

    If I set the Security filter of the policy to "Authenticated Users" then ALL (not just test users) get the printers deployed to them. If I leave the security filter blank, NO users get the printers.

    I was under the impression, since I targeted each printer to a specific Security group, only users in that group will get that printer.

    2012 AD, going to Win7, Win8 and 2012 terminal server. 

    Thanks for any help you can give, Travis


    • Edited by TMacieGCH Friday, February 19, 2016 2:45 PM
    Friday, February 19, 2016 2:44 PM

Answers

  • I found that the printers I was testing were "deployed by GPO" on the print server. it turns out if the printer is linked to any other GPO, it will kind of default to spreading the printer to anyone in the security filter. 

    I never did get tracing to work.....

    Travis

    • Marked as answer by TMacieGCH Thursday, March 03, 2016 12:56 PM
    Thursday, March 03, 2016 12:56 PM

All replies

  • > I was under the impression, since I targeted each printer to a specific
    > Security group, only users in that group will get that printer.
     
    To my understanding: You have a GPO that has a security filter. And
    INSIDE this GPO, you use GPP Printers to assign printers to your users.
    These printers use item level targeting for "Security Group - User is a
    member of".
     
    Correct so far?
     
    Then would you mind to post the XML of one of your printers items?
    (Right click - all tasks).
     
    Friday, February 19, 2016 3:17 PM
  • Correct. The Security filter is set to Authenticated Users.

    Ill Get the XML...Added Below


    <?xml version="1.0"?>

    -<SharedPrinter bypassErrors="1" userContext="1" uid="{F328632E-EB9C-41E1-8458-983A0F73D638}" changed="2016-02-19 14:15:59" image="2" status="GCHInfoServices" name="GCHInfoServices" clsid="{9A5E9697-9095-436d-A0EE-4D128FDFBCE5}">

    <Properties port="" deleteMaps="0" persistent="0" deleteAll="0" skipLocal="0" default="0" location="" path="\\GRACE-DC3\GCHInfoServices" comment="" action="U"/>


    -<Filters>

    <FilterGroup userContext="1" name="GRACECOTTAGE\GCHInfoServicesTS" localGroup="0" primaryGroup="0" sid="S-1-5-21-4101092372-2080896702-2551048040-10823" not="0" bool="AND"/>

    <FilterComputer name="GCH-TERMITE" not="0" bool="AND" type="NETBIOS"/>

    </Filters>

    </SharedPrinter>

    • Edited by TMacieGCH Friday, February 19, 2016 3:22 PM
    Friday, February 19, 2016 3:19 PM
  • > <FilterGroup userContext="1" name="GRACECOTTAGE\GCHInfoServicesTS"
    > localGroup="0" primaryGroup="0"
    > sid="S-1-5-21-4101092372-2080896702-2551048040-10823" not="0" bool="AND"/>
    > <FilterComputer name="GCH-TERMITE" not="0" bool="AND" type="NETBIOS"/>
     
    So and to update my understanding: With this ILT and a security filter
    for Auth Users on the GPO itself, anybody gets the printer? Or anybody
    on this computer?
     
    Anyway: Enabling Debug Logging for GPP Printers could help - at least it
    tells you the ILT filtering results (although hard to interpret :)):
     
     
    Set "Event logging" to Info/Warning/Error and Tracing to "On".
     
    Friday, February 19, 2016 4:39 PM
  • If I set Authenticated Users in the Security Filter, then everyone on the domain gets the printers.

    If I remove Authenticated users from the Security Filter, then no one gets the printers.

    I've turned on Debug logging but its not generating the reports, so I have to figure that out now too.

    Thanks for your help,

    Travis

    Friday, February 19, 2016 4:52 PM
  • When you added the security group in the ILT, did you resolve the group before you pressed OK? Or did you simply paste the security group name?
    Friday, February 19, 2016 6:32 PM
  • I resolved the Group name. I make sure to resolve anytime I add a group or name to anything in AD.

    Travis


    • Edited by TMacieGCH Friday, February 19, 2016 7:08 PM
    Friday, February 19, 2016 6:34 PM
  • Great, so the solution was to resolve the security group name? I suspect that without resolving the group name, it is effectively nothing in the GPO - so everyone gets them all.
    Friday, February 19, 2016 7:06 PM
  • No, I resolved the Security Group name. I always make sure to resolve names when adding them.
    Friday, February 19, 2016 7:07 PM
  • > If I set Authenticated Users in the Security Filter, then everyone on
    > the domain gets the printers.
     
    GCHInfoServicesTS - who's a member of this group? To enumerate including
    nested memberships:
     
    dsquery group -samid GCHInfoServicesTS | dsget group -members -expand |
    dsget user -samid -c 2>nul
     
    > If I remove Authenticated users from the Security Filter, then no one
    > gets the printers.
     
    Obviously - this prevents access to the GPO :)
     
    Monday, February 22, 2016 10:11 AM
  • Only my singular test users (2) are in that group. I made the group for this purpose, so its fresh.

    it really looks to me that ILT is not actually targeting. I don't know that could be making it do that though.

    Another note, along with Security Group targeting, I added an AND that targets the terminal server. That should limit the target specified printer to only adding when the user logged into the terminal server. It does not, the printer adds to all computers over the whole domain.....

    Travis

    Monday, February 22, 2016 1:38 PM
  • > it really looks to me that ILT is not actually targeting. I don't know
    > that could be making it do that though.
     
    The GPP debug logging would tell how the filtering evaluates.
     
    > printer to only adding when the user logged into the terminal server. It
    > does not, the printer adds to all computers over the whole domain.....
     
    Are you SURE that this exact item you posted the XML for is the _only_
    item that assigns this printer? I've never seen ILT "failing" in such a
    unpredictable and unexpected way...
     
    Monday, February 22, 2016 4:47 PM
  • I've enable GPP debug logging but it hasn't created any logs....That has me concerned there is a much larger issue at hand here.

    the logs should be on the Domain Controller, as long as i left the defaults, correct?

    The printer is deployed from the print server, but this is the only security group that deploys it. The rest are manual adds via the Add printer wizard on each machine. Even so, when I enable Authenticated Users, it installs for all Authenticated Users on the domain.

    Travis

    Monday, February 22, 2016 4:56 PM
  • Deploy the debugging GPO to the workstation having the issue. The logs are created on the client.

    C:\ProgramData\GroupPolicy\Preference\Trace

    Monday, February 22, 2016 8:28 PM
  • Thank you. I'll give this a try, does it need to be a separate GPO? That directory doesnt exist, will the GPO create it automatically, or do I need to do it manually?

    Travis

    Monday, February 22, 2016 8:31 PM
  • Doesn't have to be separate policy, but its easier to use it again for future cases should the need arise.

    Dirs/files will get created.

    Monday, February 22, 2016 9:43 PM
  • I found that the printers I was testing were "deployed by GPO" on the print server. it turns out if the printer is linked to any other GPO, it will kind of default to spreading the printer to anyone in the security filter. 

    I never did get tracing to work.....

    Travis

    • Marked as answer by TMacieGCH Thursday, March 03, 2016 12:56 PM
    Thursday, March 03, 2016 12:56 PM