none
Security Filtering for printer deployment

    Question

  • Greetings,

    We have over 50 printers deployed to all users on all client machines at our site, and it's gotten very cumbersome.

    I have 4 groups of printers and I believe I should be making 4 GPOs for them: 1 for administrators, 1 for classrooms, 1 for staff, and 1 for faculty. I want to assign different user groups to each GPO. I also want to link this GPO to the "Staff Computers" OU. This way whoever logs in to those computers will get a different set of printers depending on which GPO they have permissions to.

    In testing, I made a "Print Test" OU, moved my computer there, and linked the "Printers - Staff" GPO to it. I've tried changing between

    User Configuration -> Policies -> Windows Settings -> Printer Connections*
    and
    Computer Configuration -> Policies -> Windows Settings -> Printer Connections*

    and changing the Security Filtering of the GPO from "Authenticated Users" (for which I always see the printers as expected) to the security group(s) I am a member of, and even my user account itself. No matter what I change the security settings to, I never get the printers deployed; I only ever get them if the Security Filtering is set to "Authenticated Users."

     Is this even the correct way to go about this? Any insight would be appreciated!

    * "Printer Connections" seems to be interchangeable with "Deployed Printers." When listing the settings of the GPO, it says Printer Connections, but when editing, the menu tree says Deployed Printers.


    • Edited by EricG1793 Friday, September 18, 2015 7:54 PM
    Friday, September 18, 2015 7:53 PM

Answers

All replies

  • Hi, Is yor user account in the test OU as well? Or just your PC? Is your Pc a member of the security group which you use for security filtering?
    Friday, September 18, 2015 8:43 PM
  • No, only the computer is in the OU. The computer is not a member of the security group I'm filtering by.
    Monday, September 21, 2015 6:27 PM
  • Correct me if I'm wrong..

    To function for the User configuration: You have to put the user underneath the OU

    To function for the Computer Configuration: You have to add the PC to the security group which you are using for security filtering

    It works with authenticated users because "Computer Configuration" applies to that as well.

    Monday, September 21, 2015 6:56 PM
  • OK, I see how this isn't working. I'm trying apply a GPO to an OU containing computers, but filtering per-user, and there are no users in that OU.

    I'm thinking of all the scenarios that could happen, but nothing seems like it will work. I have two OUs where all the computers are (Staff Computers + H102 Computers) and two different OUs where the users are (Staff + Students).

    So I have two main (apparently conflicting) goals:

    GOAL 1. I want printers to be available on all computers in those two OUs, but no printers for computers in other OUs

    GOAL 2. But, depending which security groups the users are in who log on to said machines, they get different printers deployed

    SOLUTION 1: Deploy per-machine to the Staff Computers + H102 Computers OUs.

    SOLUTION 2: Deploy per-user, and apply the GPO to the Staff + Students OUs

    PROBLEM 1: Any user who logs in will see all the printers

    PROBLEM 2: Users will have printers deployed to computers other than Staff and H102

    Correct?

    Is there a way to accomplish both goals?

    My head hurts. Thanks to anyone who can make sense of this. :)

    Tuesday, September 22, 2015 4:02 PM
  • > SOLUTION 2: Deploy per-user, and apply the GPO to the Staff + Students OUs
     
    Then implement Item Level Targeting, select Group Membership - Computer
    is a member of. Done :)
     
    (Or use an LDAP filter - a bit harder...)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, September 23, 2015 8:51 AM
  • Thanks for the idea, Martin! It does seem as though that would get the job done initially. However, that method for deploying printers (though Preferences) is more tedious, and I've found that the printer does not get removed from the client after removing it from the list of connections and doing a gpupdate, so it would cause headaches in the future.

    Keep the ideas coming, guys! :)

    Friday, September 25, 2015 7:25 PM
  • > Preferences) is more tedious, and I've found that the printer does not
    > get removed from the client after removing it from the list of
    > connections and doing a gpupdate, so it would cause headaches in the future.
     
    If you want the printer to get removed, create two items for each
    printer, both with an opposite ILT :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 28, 2015 9:39 AM