Managing Printing : Deploying Printers Using Group Policy

The ability to deploy printer connections to Windows-based client computers using Group Policy was first introduced in Windows Server 2003 R2. You can use Group Policy to deploy printer connections in two ways:

  • As per-computer printer connections available for all users who log on to the client computer. You can deploy per-computer printer connections to computers running Windows XP or later versions.

  • As per-user printer connections available to the user on any client computer to which the user logs on. You can deploy per-user printer connections to users of computers running Windows 2000 or later versions.

Deploying printers using Group Policy is useful in scenarios in which every user or computer in a room or office needs access to the same printer. Deploying printers using Group Policy can also be useful in large enterprises where users and computers are differentiated by function, workgroup, or department.

DIRECT FROM THE FIELD

Configuring Printer Connections Using Group Policy Preferences

Jerry Honeycutt

Deployment Forum

Group Policy preferences, a new feature of Windows Server 2008, provides administrators with another means of deploying, configuring, and managing printer connections on Windows 7 computers. Configuring printer connections is a common task that administrators typically perform by writing logon scripts. The Printers preference extension, however, enables you to easily create, update, replace, or delete shared printers, TCP/IP printers, and local printers to multiple, targeted users or computers. Using preference targeting, you can deploy printer connections based on location, department, computer type, and so on.

Windows 7 Group Policy provides native support for deploying printers. However, it supports only shared printers and requires AD DS schema extensions. In contrast, the Printers extension supports shared, local, and TCP/IP printers on Windows XP SP2, Windows Vista, and Windows 7. It also allows you to set the default printer and map shared printers to local ports.

1. Preparing to Deploy Printers

Deploying printers using Group Policy requires you to perform the following preparatory steps:

  • If you are not using Windows Server 2008 domain controllers, your AD DS schema must first be upgraded to Windows Server 2003 R2 or later. This means the schema revision number must be 9 (for Windows Server 2003) and the schema version number must be 31 (for the R2 schema update). You can use ADSI Edit to determine your current schema version number by looking under the Schema node, right-clicking the object named CN=Schema,CN=Configuration,DC=forest_root_domain, selecting Properties, and then examining the value of the objectVersion attribute. The R2 schema update is required so that Print Management can create the following two objects in AD DS:

    • CN=Schema,CN=Policies,CN=GPO_GUID,CN=Machine,CN=PushPrinterConnections

    • CN=Schema,CN=Policies,CN=GPO_GUID,CN=User,CN=PushPrinterConnections

  • If your client computers are running an earlier version of Windows, you must deploy the PushPrinterConnections.exe utility to these clients prior to using Group Policy to deploy printer connections to these computers. The PushPrinterConnections.exe utility reads the GPOs that are used to deploy printer connections and adds or removes these connections on the client as needed. The easiest way to deploy PushPrinterConnections.exe is to use a GPO as follows:

    • As a user logon script for deploying per-user printer connections

    • As a computer startup script for deploying per-computer printer connections

    The simplest approach is to use the same GPO to deploy both PushPrinterConnections.exe to targeted users and/or computers using startup/logon scripts and the actual printer connections themselves to those users and/or computers. Beginning with Windows Vista, however, you do not need to first deploy PushPrinterConnections.exe to client computers because Windows Vista and later versions include this capability in the operating system.

2. Deploying a Printer Connection

After you complete the preceding preparatory steps, you can deploy a printer connection by following these steps:

  1. Create a new GPO for deploying the connections, or use an existing GPO linked to the OU, domain, or site where the users or computers being targeted reside.

  2. Open Print Management, right-click the printer you want to deploy, and select Deploy With Group Policy.

  3. In the Deploy With Group Policy dialog box, click Browse, find and select the GPO you will use to deploy the printer, and then click OK.

  4. Choose whether to deploy the printer as a per-computer connection, a per-user connection, or both.

  5. Click Add to add the printer connection settings to the GPO.

  6. If needed, repeat steps 3 through 5 to deploy the same printer to additional GPOs.

  7. Click OK when finished. The printer connection to be deployed using Group Policy will be displayed under the Deployed Printers node in Print Management.

Per-user printer connections can be deployed immediately using Group Policy if the user next logs off and then logs on again to a targeted client computer. Per-computer printer connections can also be deployed immediately if the user’s computer is restarted. Neither type of connection will be deployed on earlier versions of Windows during normal background refresh of Group Policy. On Windows Vista and later clients, however, background policy refresh can also deploy both per-user and per-computer printer connections.


Note:

On Windows Vista and later versions, users can also force printer connections to be deployed immediately by typing gpupdate/force at an elevated command prompt.


The deployed printer connection is also displayed in the GPO used to deploy the connection. To view this, open the Group Policy Management Console (GPMC), right-click the GPO you used to deploy the connection, and then click Edit to open the GPO using the Group Policy Object Editor (see Figure 1). To remove the deployed printer connection from the targeted users or computers during the next background refresh of Group Policy, right-click the connection and then click Remove. Unlinking the GPO from the OU, domain, or site where the targeted users or computers reside also removes the deployed connections.


Note:

You can also use the Group Policy Results Wizard in the GPMC to collect RSoP information to verify the success or failure of deploying printers using Group Policy. 


Figure 1. Viewing a deployed printer connection in a GPO

3. Limitations of Deploying Printers Using Group Policy

The following limitations apply when deploying printer connections to Windows 7 clients using Group Policy:

  • You cannot configure the default printer on the targeted client using Group Policy.

  • Loopback mode is not supported.

4. Assigning Printers Based on Location

Windows Vista introduced a feature with the ability to assign printers based on location. This can be useful in large enterprises that span more than one geographical location, allowing mobile users to update their printers as they move to new locations. When mobile users return to their primary locations, their original default printers are restored.

To assign printers based on location, deploy printers using GPOs linked to AD DS sites. When a mobile computer moves to a new site, the printer connections for the computer are updated using normal Group Policy processing.

DIRECT FROM THE SOURCE

Managing Deployed Printer Connections

Alan Morris, Software Design Engineer

Test, Windows Printing

There are two ways of managing deployed printer connections in Windows 7:

  • Using the Print Management console

  • Using the Group Policy Management Editor

The following sections of this sidebar describe the differences between these two approaches.

Managing Deployed Printer Connections Using the Print Management Console

Deployed printer connections will be displayed in Print Management’s Deployed Printers node for the connections hosted by the current list of monitored servers when the Print Management operator has Read access to the domain policies in which printer connections are deployed.

To deploy connections to a Group Policy using the Print Management console, you must have Write access to the domain policy, and the server that shares the printer must be added to the list of servers that Print Management is monitoring. The operator in charge of printer deployment does not need to have administrative rights on the print server.

The deployed printer connections feature is not used to create local printers, but anyone with administrative rights can add printer connections to the local policy of a computer. Local Policy-deployed printer connections are useful when AD DS is not fully implemented or when setting up systems in a workgroup environment. Some form of peer-to-peer authentication is required when the workgroup computers or users cannot authenticate to a domain controller.

Deployed printer connections do not need to be published to the AD DS.

Deployed printers do not require any driver download prompts during installation. The user does not have access to delete deployed printer connections. The printer needs to be removed from the policy or the user must be unlinked from the policy for the printer removal to occur.

Managing Deployed Printer Connections Using the Group Policy Management Editor

This tool has a few advantages over the Print Management snap-in. You don’t need to monitor the server sharing the deployed printers. You can deploy printer shares that have yet to be created. The user interface works directly within the selected GPO. The user does not need to be logged on to the same domain as the GPO.

The big disadvantage when using this tool rather than the Print Management snap-in is the lack of any print share validation. If valid server and share information is improperly entered, the connection will fail. When no share validation is performed, the advantage is that this method allows for deployment of connections prior to creating the share. After the share is created, the connections will be added for the user during the next policy refresh on Windows 7 clients and the next time PushPrinterConnections.exe is run on previous-version clients.

Printers hosted on a server in one domain can easily be deployed to clients in another trusted domain.

Another important use of the Group Policy Management Editor is in the removal of deployed printers after a print server is retired. The Group Policy Management Editor will display the printers deployed to a policy and allow the operator to remove them after the server is no longer available on the network.