How to deploy printers using Group Policy

printers via group policy
Advertisements by Google

Deploying printers via Group Policy lets you manage your printers from a single console and also gives you granular control over which printers to deploy to individual client PCs without needing any additional software.

Prerequisites

There are a few prerequisites for this method of deployment to work, but the requirements are ridiculously easy to meet. First off, this method of deployment is for network printers or shared printers.

Any printers installed locally on a client PC and not shared are not an option for deployment via Group Policy Objects (GPOs). Also, your clients need to be running Windows 7 or above, and last but not least, you need an Active Directory (AD) installation that can run Group Policy Preferences (GPPs), introduced with Server 2008. Also for this article, I’ll assume you are already comfortable setting up a network printer and creating a printer share and have already done so.

We’ll be using GPPs to configure and control the printer deployment options. If you’ve never used GPPs, you’re in for a treat. It’s one of the best features Microsoft has given admins for really getting creative with Group Policy deployment criteria.

Computer vs. user deployment

The image above shows that GPPs live inside a GPO. There are separate preferences sections for the Computer Configuration and the User Configuration. Both sections have many of the same options, but there are differences. I highlighted the Printers section in each GPP. So why two sections? How do I know which one to use?

Group Policy can deploy settings to computers or users. The same is true for GPPs. For printing, you can choose to deploy a printer to a computer or by individuals and groups; the difference comes down to how you want to manage your printers.

Deploying a printer via GPPs to a computer will install it for all users that log in to a client computer and only on that computer. Conversely, a deploying a printer via GPPs to a user will only install it into the profile of the user you specify. However, installing printers per user will install them everywhere that user logs in.

You should install a printer reserved for the executives via the User Configuration; manage a printer needed for all users of a computer via the Computer Configuration. Here’s the interesting part though—you could deploy the same printer using both methods if you needed to, but it may get a little challenging trying to troubleshoot issues. So I don’t recommend you do this.

Advertisements by Google
Group Policy Preferences options

Deploying Printers to Users via Group Policy

Create three new security groups in AD (SharedPrinter_SalesSharedPrinter_ITSharedPrinter _Managers) and add the department users to them (you can automatically add users to domain groups by following the article “Creating a Dynamic Group in Active Directory”). You can create groups in the Active Directory Users & Computers console or using the New-ADGroup cmdlet:

New-ADGroup "SharedPrinter_Sales" -path 'OU=Groups,OU=Paris,DC=woshub,DC=com' -GroupScope Global –PassThru

  • Run the domain Group Policy editor (GPMC.msc), create a new policy print_AutoConnect and link it to the OU with the users. 
  • If you have a small number of shared network printers in your domain (up to 30-50), you can configure them using single GPO. If you have a complex domain structure and you are delegate some AD administration tasks to branch administrators, it is better to create several printer deployment policies. For example, one policy for each AD site or OU.
  • Go to the policy-editing mode and expand the User Configuration -> Preferences -> Control Panel Setting -> Printers. Create a new policy item by select New -> Shared Printer;If you want to connect a printer by IP address (directly, without a print server), select TCP/IP Printer.
  • Specify Update as an action. In the Shared Path field, enter the UNC address of your printer, for example, \\srv-par-print\hpsales (in my case all printers are connected to the centralized print server \\srv-par-print). Here you can specify whether to use this printer as the default printer; 
  • Go to the Common tab and specify that the printer must be connected in the current user context (Run in logged-on user’s security context). Also check the Item-level targeting option and click Targeting.
  • Using GPP targeting, you must specify that the policy is to be applied only for SharedPrinter_Sales group members. To do it, go to New Item -> Security Group and enter SharedPrinter_Sales as a group name. 
  • Please note that this restriction doesn’t prevent a domain user from manually connecting this printer using Windows File Explorer. To restrict access to the printer, you will have to change the printer security permissions on the print server and allow printing only for specific groups.
  • In the same way create the printer connection policies for other user groups; 

Also there is an old GPO section to configure printers: Computer Configuration -> Policies -> Windows Settings -> Deployed Printers, but this method is less flexible than the one using GPP described above.

When using this printer deployment Group Policy, new printers will be connected on user computers only if the corresponding printer driver is installed. However, the problem is that non-admin users don’t have permission to install print drivers. In this case, you need to configure Point and Print Restriction policy.

Configuring Point and Print Restrictions Policy to Install Printers

To correctly connect printers for any users, you will have to configure the Point and Print Restrictions policy, as well as the addresses of the print servers from which users are allowed to install drivers and printers.I will remind you that on security reasons Microsoft has restrict the installation of non-package-aware v3 printer drivers since 2016. See the article Unable to install non-package-aware print drivers.

If you connect your printers using the User Configuration Policy, go to User Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> Printer -> Point and Print Restriction. Enable the policy and configure it as follows:

  1. Users can only point and print to these servers – specify the list of print servers users can install drivers from (FQDN names are specified with semicolon as a separator);
  2. When installing driver for new connection -> Do not show warning or elevation prompt;
  3. When installing driver for existing connection -> Do not show warning or elevation prompt. 

Also, enable Package Point and Print – Approved server policy in the GPO section User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers and set the list of trusted print servers.

After you restart the computer, the assigned shared network printer will be automatically installed and connected at the user logon.

Conclusion

I have walked you through the most important options you need to configure to deploy a printer successfully to a group using GPPs. These options are super powerful, and I encourage you to explore the options to see how they can help you configure client PCs and servers in ways you may have never considered. If you have any follow-up questions about how to deploy printers, please leave a comment below. Thanks for reading, and I hope this becomes a useful guide you can refer back to any time you need a refresher on printer deployment options. Previously, to install and connect users’ printers I had to use  PowerShell scripts. These scripts need to be run as Startup GPO scripts, and Group Policy Filtering can be used to target the printer installation. However, in my opinion it is much easier to use GPP to deploy printers.

Advertisements by Google

Related Posts

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
%d bloggers like this: