The ability to deploy printer connections to Windows-based client computers using Group Policy was first introduced in Windows Server 2003 R2. You can use Group Policy to deploy printer connections in two ways:
As per-user printer connections available to the user on any client computer to which the user logs on. You can deploy per-user printer connections to users of computers running Windows 2000 or later versions.
Deploying printers using Group Policy is useful in scenarios in which every user or computer in a room or office needs access to the same printer. Deploying printers using Group Policy can also be useful in large enterprises where users and computers are differentiated by function, workgroup, or department.
1. Preparing to Deploy Printers
If you are not using Windows Server 2008 domain controllers, your AD DS schema must first be upgraded to Windows Server 2003 R2 or later. This means the schema revision number must be 9 (for Windows Server 2003) and the schema version number must be 31 (for the R2 schema update). You can use ADSI Edit to determine your current schema version number by looking under the Schema node, right-clicking the object named CN=Schema,CN=Configuration,DC=forest_root_domain, selecting Properties, and then examining the value of the objectVersion attribute. The R2 schema update is required so that Print Management can create the following two objects in AD DS:
If your client computers are running an earlier version of Windows, you must deploy the PushPrinterConnections.exe utility to these clients prior to using Group Policy to deploy printer connections to these computers. The PushPrinterConnections.exe utility reads the GPOs that are used to deploy printer connections and adds or removes these connections on the client as needed. The easiest way to deploy PushPrinterConnections.exe is to use a GPO as follows:
As a computer startup script for deploying per-computer printer connections
The simplest approach is to use the same GPO to deploy both PushPrinterConnections.exe to targeted users and/or computers using startup/logon scripts and the actual printer connections themselves to those users and/or computers. Beginning with Windows Vista, however, you do not need to first deploy PushPrinterConnections.exe to client computers because Windows Vista and later versions include this capability in the operating system.
2. Deploying a Printer Connection
Per-user printer connections can be deployed immediately using Group Policy if the user next logs off and then logs on again to a targeted client computer. Per-computer printer connections can also be deployed immediately if the user’s computer is restarted. Neither type of connection will be deployed on earlier versions of Windows during normal background refresh of Group Policy. On Windows Vista and later clients, however, background policy refresh can also deploy both per-user and per-computer printer connections.
The deployed printer connection is also displayed in the GPO used to deploy the connection. To view this, open the Group Policy Management Console (GPMC), right-click the GPO you used to deploy the connection, and then click Edit to open the GPO using the Group Policy Object Editor (see Figure 1). To remove the deployed printer connection from the targeted users or computers during the next background refresh of Group Policy, right-click the connection and then click Remove. Unlinking the GPO from the OU, domain, or site where the targeted users or computers reside also removes the deployed connections.
3. Limitations of Deploying Printers Using Group Policy
Loopback mode is not supported.
4. Assigning Printers Based on Location
Windows Vista introduced a feature with the ability to assign printers based on location. This can be useful in large enterprises that span more than one geographical location, allowing mobile users to update their printers as they move to new locations. When mobile users return to their primary locations, their original default printers are restored.
To assign printers based on location, deploy printers using GPOs linked to AD DS sites. When a mobile computer moves to a new site, the printer connections for the computer are updated using normal Group Policy processing.
DIRECT FROM THE SOURCE
Managing Deployed Printer Connections
Alan Morris, Software Design Engineer
Test, Windows Printing
Deployed printer connections will be displayed in Print Management’s Deployed Printers node for the connections hosted by the current list of monitored servers when the Print Management operator has Read access to the domain policies in which printer connections are deployed.
To deploy connections to a Group Policy using the Print Management console, you must have Write access to the domain policy, and the server that shares the printer must be added to the list of servers that Print Management is monitoring. The operator in charge of printer deployment does not need to have administrative rights on the print server.
The deployed printer connections feature is not used to create local printers, but anyone with administrative rights can add printer connections to the local policy of a computer. Local Policy-deployed printer connections are useful when AD DS is not fully implemented or when setting up systems in a workgroup environment. Some form of peer-to-peer authentication is required when the workgroup computers or users cannot authenticate to a domain controller.
Deployed printers do not require any driver download prompts during installation. The user does not have access to delete deployed printer connections. The printer needs to be removed from the policy or the user must be unlinked from the policy for the printer removal to occur.
This tool has a few advantages over the Print Management snap-in. You don’t need to monitor the server sharing the deployed printers. You can deploy printer shares that have yet to be created. The user interface works directly within the selected GPO. The user does not need to be logged on to the same domain as the GPO.
The big disadvantage when using this tool rather than the Print Management snap-in is the lack of any print share validation. If valid server and share information is improperly entered, the connection will fail. When no share validation is performed, the advantage is that this method allows for deployment of connections prior to creating the share. After the share is created, the connections will be added for the user during the next policy refresh on Windows 7 clients and the next time PushPrinterConnections.exe is run on previous-version clients.
Another important use of the Group Policy Management Editor is in the removal of deployed printers after a print server is retired. The Group Policy Management Editor will display the printers deployed to a policy and allow the operator to remove them after the server is no longer available on the network.