none
Win7, Win2003, and GP point and print restrictions

    Question

  • Hi there,

    I'm trying to deploy Win7-specific GPOs to a Win7 PC that is on a Windows 2003-only domain. My admin PC is running Windows 7, I have the RSAT tools enabled. I've successfully deployed Group Policy Preferences this way, but have had no luck with regular Group Policy, as far as I can tell.

    I've created a central store on our DC and populated it with the standard ADMX files from my Win7 admin PC, and created a test GPO.

    Specifically, I am trying to adjust the following settings in GP that fixed a problem where our regular users could not add printers, and our scripts wouldn't automatically add them either, because they didn't have admin privs to install the drivers. Doing the steps below in the Local group policy editor (manually) solved the problem, but my preference would be to include this in GP, rather than having to make a local policy change.

    Test_GPO

      Computer Config:

         Administrative Templates: Policy definitions (ADMX) files retrieved from the central store

            Printers

               Only use Package Point and print: DISABLED

               Point and Print Restrictions: DISABLED

     User Config:

         Administrative Templates: Policy definitions (ADMX) files retrieved from the central store

            Control Panel/Printers

               Only use Package Point and print: DISABLED

               Point and Print Restrictions: DISABLED

     

    I've adjusted these settings on my admin laptop the same way I configured my GPP settings that worked on the same test box, did a GPUPDATE/force, and...nothing. If I go the local gpedit.msc on the test PC, the printer settings are all not configured, and when I try to run the script as a regular user, it still prompts for a user with elevated privs to complete the printer driver install. When I rerun gpedit.msc on the test netbook, all the settings above remain at "not configured".

    So, where to begin for troubleshooting this? When I run the GP report, it seems to suggest the changes I made are there, but nothing is being applied to the test netbook. When I go to Event Viewer on the test netbook and drill down to Application and Service Logs-->Microsoft-->Windows-->Group Policy-->Operational, the logs show the netbook being in the test OU.

    I do get the following information message: Event 5313

    The following Group Policy objects were not applicable because they were filtered out:

    Local Group Policy

          Not applied (empty)

    New Global Policy

          Not applied (empty)

     

    Any help on troubleshooting this would be much appreciated, thanks!

    Sir_timbit

    Monday, November 29, 2010 8:32 PM

Answers

  • Hi,

     The first step is to make sure your Test_GPO applies correctly to your machines and users. Since you have both user and computer settings in the GPO, the GPO must be linked to a container (or multiple containers) that contain both the user and computer you are testing with. Next, make sure that the security delegation information for the GPO contains both the user and computer you are testing with (The default Authenticated Users would be fine).

     

    Finally, run gpresult /R on the client and see what the status is for Test_GPO.

     

    Thanks,

    Guy

    • Marked as answer by Sir_Timbit Tuesday, November 30, 2010 7:43 PM
    Monday, November 29, 2010 9:48 PM

All replies

  • Hi,

     The first step is to make sure your Test_GPO applies correctly to your machines and users. Since you have both user and computer settings in the GPO, the GPO must be linked to a container (or multiple containers) that contain both the user and computer you are testing with. Next, make sure that the security delegation information for the GPO contains both the user and computer you are testing with (The default Authenticated Users would be fine).

     

    Finally, run gpresult /R on the client and see what the status is for Test_GPO.

     

    Thanks,

    Guy

    • Marked as answer by Sir_Timbit Tuesday, November 30, 2010 7:43 PM
    Monday, November 29, 2010 9:48 PM
  • Thanks Guy,

    That was the problem. In AD I had the computer in the OU, but not the user. And in the Security filtering for the GPO, I had the user (authenticated users) but not the computer listed. Also, I was running gpedit.msc on the test PC and expected to see the changes listed there. I did a GPupdate and everything worked after that.

    Sir_Timbit

    Tuesday, November 30, 2010 7:43 PM