none
Policy references old printer deployments - How to clean the reference?

    Question

  • For some reason our printers are getting deployed using our Default Domain Policy and there appears to be a reference to these printers in both the user and computer configuration. I get this error when I do gpupdate /force

    "The following warnings were encountered during user policy processing:
    Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More
    information" link.
    Computer Policy update has completed successfully."

    What appears to be happening is I have a reference to deploying printers in both the user and computer policy.. however when looking at the actual policy in the editor there is only a reference to the computer configuration.

    Now if I search GP for printer deployments polices under the user configuration I get this:

    With that being said, is there a way I can remove the reference to the printers under the user configuration? Or find out exactly what printers are deployed under the user configuration?

    If there is anything I am leaving out, let me know!

    Thank you.

    Monday, November 12, 2012 10:45 PM

Answers

  • Hello,

    Please goto your DC and use adsiedit.msc.

    Connect to the "Default naming context".
    Goto your Domain, CN=System, CN-Policies.

    Goto your Policy (which should be {31B2F340-016D-11D2-945F-00C04FB984F9})
    Goto CN=User and see if there is a CN=PushedPrintersConnections.

    If so, delete it.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:38 PM
    Tuesday, November 13, 2012 5:35 PM
  •  
    > You can see there is no reference to printer deployments in the user
    > configuration.. at least not anymore. That's what make me think there
    > is an old reference somewhere?
     
    In addition to Matthias - his suggestion only removes the "content" of
    deployed printers, but not the processing of "deployed printers" during
    GPO refresh.
     
    While you 're in adsiedit, highlight the GPO node itself, "properties",
    look for the attribute "gPCUserExtensionNames". This is an array of an
    array of GUIDs.
    Copy the entry to notepad, identify a block in square brackets ("[]")
    that starts with the GUID {8A28E2C5-8D06-49A4-A08C-632DAA493E17} and
    remove the whole square brackets block. Then, look simply for the GUID
    {180F39F3-CF17-4C68-8410-94B71452A22D} (shouldn'be present, but better
    be careful) and remove just the GUID.
     
    This cleans up the AD part of your GPO and afterwards, deployed printers
    will not be processed anymore during user gpo refresh.
     
    Here's my complete list of GUIDs related to GPO processing:
    (Just in case you are curious about what you are deleting ;-))
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:39 PM
    Tuesday, November 13, 2012 9:01 PM
  • Maybe not, default is somewhere around 120 minutes right?

    It depents on your replication topology.

    If AD sync is done and it is sill not working, please try to blow away:
    HKCU\Software\Policies\Microsoft\Windows NT\Printers
    (please export before)


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:38 PM
    Tuesday, November 13, 2012 10:11 PM

All replies

  • Hi,

    Did you use GPP to deploy shared printer? Why not use Delete action in it?
    Configure a Shared Printer Item
    http://technet.microsoft.com/en-us/library/cc732092(v=ws.10).aspx

    If you want to make user who login to the computer also use the shared printers which deployed for the computer, you can use Loopback policy to achieve the same, instead of setting Computer configuration and User configuration at the same time.

    Regards,
    Cicely

    Tuesday, November 13, 2012 7:39 AM
    Moderator
  • Here is the User Configuration portion of this GPO:

    You can see there is no reference to printer deployments in the user configuration.. at least not anymore. That's what make me think there is an old reference somewhere?

    Tuesday, November 13, 2012 4:42 PM
  • Hello,

    Please goto your DC and use adsiedit.msc.

    Connect to the "Default naming context".
    Goto your Domain, CN=System, CN-Policies.

    Goto your Policy (which should be {31B2F340-016D-11D2-945F-00C04FB984F9})
    Goto CN=User and see if there is a CN=PushedPrintersConnections.

    If so, delete it.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:38 PM
    Tuesday, November 13, 2012 5:35 PM
  •  
    > You can see there is no reference to printer deployments in the user
    > configuration.. at least not anymore. That's what make me think there
    > is an old reference somewhere?
     
    In addition to Matthias - his suggestion only removes the "content" of
    deployed printers, but not the processing of "deployed printers" during
    GPO refresh.
     
    While you 're in adsiedit, highlight the GPO node itself, "properties",
    look for the attribute "gPCUserExtensionNames". This is an array of an
    array of GUIDs.
    Copy the entry to notepad, identify a block in square brackets ("[]")
    that starts with the GUID {8A28E2C5-8D06-49A4-A08C-632DAA493E17} and
    remove the whole square brackets block. Then, look simply for the GUID
    {180F39F3-CF17-4C68-8410-94B71452A22D} (shouldn'be present, but better
    be careful) and remove just the GUID.
     
    This cleans up the AD part of your GPO and afterwards, deployed printers
    will not be processed anymore during user gpo refresh.
     
    Here's my complete list of GUIDs related to GPO processing:
    (Just in case you are curious about what you are deleting ;-))
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:39 PM
    Tuesday, November 13, 2012 9:01 PM
  • [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F73-3407-48AE-BA88-E8213C6761F1}][{8A28E2C5-8D06-49A4-A08C-632DAA493E17}{180F39F3-CF17-4C68-8410-94B71452A22D}{CC13E3F3-D6D7-4A7C-A806-085502AA8281}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{C6DC5466-785A-11D2-84D0-00C04FB169F7}{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}]

    I want to be clear on what I should remove as I see both GUIDs there?

    Tuesday, November 13, 2012 9:16 PM

  • [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F73-3407-48AE-BA88-E8213C6761F1}][{8A28E2C5-8D06-49A4-A08C-632DAA493E17}{180F39F3-CF17-4C68-8410-94B71452A22D}{CC13E3F3-D6D7-4A7C-A806-085502AA8281}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{C6DC5466-785A-11D2-84D0-00C04FB169F7}{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}]

    I want to be clear on what I should remove as I see both GUIDs there?


    Strange - the second GUID (CC13E3F3....) is not present in 2008R2 registry. According to http://support.microsoft.com/kb/967536, this GUID is used internally in Printer Management and added to the GPO.

    But yes, I confirm my statement: Remove all 3 GUIDs within the [] brackets (including, the brackets, of course ;-)). The first GUID represents the client side extension, the other ones represent Snapins (in GPEdit) leveraging this CSE.

    To be precise: Remove
    [{8A28E2C5-8D06-49A4-A08C-632DAA493E17}{180F39F3-CF17-4C68-8410-94B71452A22D}{CC13E3F3-D6D7-4A7C-A806-085502AA8281}]

    regards, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, November 13, 2012 9:26 PM
  • Strange - the second GUID (CC13E3F3....) is not present in 2008R2 registry

    I did a test.

    CC13E3F3-D6D7-4A7C-A806-085502AA8281 is used when you deploy a printer via "Print Management" Snap-In.

    If you deploy the printer with GPMC,
    180F39F3-CF17-4C68-8410-94B71452A22D is used.

    In addition to Matthias - his suggestion only removes the "content" of
    deployed printers, but not the processing of "deployed printers" during
    GPO refresh.

    You are right.un
    I did not think of that because I have read that he wants to keep a few printers.
    But that is only in Computer Configuration, so good point he
    needs to edit the "gPCUserExtensionNames" to remove the CSEs and Snap-In GUIDs and keep the "gPCMachineExtensionNames" untouched.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Tuesday, November 13, 2012 9:41 PM
  • Thanks for the help so far!

    I went ahead and removed that string of GUIDs. Then I ran gpupdate /force again and I still got the printer deployment errors same as before. I pulled the report using gpresult /H and this is what I am getting. See if this helps at all.. but it looks like there is still a reference to these printers.

    Tuesday, November 13, 2012 9:51 PM
  • Did you wait for the AD-replication to finish?


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Tuesday, November 13, 2012 10:00 PM
  • Maybe not, default is somewhere around 120 minutes right? If so I tried it immediately after doing gpupdate /force and didn't realize it would have to replicate first.

    Tuesday, November 13, 2012 10:06 PM
  • Maybe not, default is somewhere around 120 minutes right?

    It depents on your replication topology.

    If AD sync is done and it is sill not working, please try to blow away:
    HKCU\Software\Policies\Microsoft\Windows NT\Printers
    (please export before)


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    • Marked as answer by Craig.Sorensen Wednesday, November 14, 2012 4:38 PM
    Tuesday, November 13, 2012 10:11 PM
  • I'll report back later today or tomorrow morning.

    I've got 3 DC's all on the same internal network.. nothing external or on different hops.

    Tuesday, November 13, 2012 10:13 PM
  • I checked this again this morning. After replication the error was still there so I did what you said and backed up HKCU\Software\Policies\Microsoft\Windows NT\Printers and then deleted it. After running gpupdate /force again it looks like it processed everything without any errors!

    Woo hoo!

    I'll monitor the environment for a bit and see if there are any abnormalities. But I think everything will be okay now.

    Thanks!

    Wednesday, November 14, 2012 4:38 PM
  •  
    > I checked this again this morning. After replication the error was
    > still there so I did what you said and backed up
    > HKCU\Software\Policies\Microsoft\Windows NT\Printers and then deleted
    > it. After running gpupdate /force again it looks like it processed
    > everything without any errors!
    >
     
    One more reason to arm a gun with this "deployed printer connections"
    and target this gun to outer space ;-))
    Anyway, glad to hear things are going well now.
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, November 14, 2012 9:13 PM

  • CC13E3F3-D6D7-4A7C-A806-085502AA8281 is used when you deploy a printer via "Print Management" Snap-In.

    If you deploy the printer with GPMC, 180F39F3-CF17-4C68-8410-94B71452A22D is used.


    Noticed my link to ms? (-:
    ttp://support.microsoft.com/kb/967536

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, November 14, 2012 9:14 PM
  • Noticed my link to ms? (-:

    Noticed yes, but did not really read it :-)

    Anyway I don't have much trust in all MS KBs.

    Never believe something that you didn't see with own eyes :-)


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Wednesday, November 14, 2012 9:28 PM
  •  
    > Anyway I don't have much trust in all MS KBs.
     
    Sad, but true...
     
    > Never believe something that you didn't see with own eyes :-)
    >
     
    Doesn't help either - cut'n'paste of a current question we have running:
     
    AppMgmt (MSI-Installation) can be logging enabled. This requires setting
    HKLM\Software\Microsoft\Windows
    NT\CurrentVersion\Diagnostics:AppMgmtDebugLevel. But what value is right?
     
    Or maybe 0x9B?
     
    All sources are MS, and all state a different value for
    AppMgmtDebugLevel... And even if I assume this to be a bit masked value
    - all three values give quite different bit masks. )-:
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, November 14, 2012 10:09 PM
  • All sources are MS, and all state a different value for
    AppMgmtDebugLevel... And even if I assume this to be a bit masked value

    - all three values give quite different bit masks. )-:

    Classic.

    I would not give a .. about GPSI.

    There are better ways to do this.

    I prefer WSUS + LUP.


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Thursday, November 15, 2012 8:57 AM