Deploying printers via Group Policy lets you manage your printers from a single console and also gives you granular control over which printers to deploy to individual client PCs without needing any additional software.
There are a few prerequisites for this method of deployment to work, but the requirements are ridiculously easy to meet. First off, this method of deployment is for network printers or shared printers.
Any printers installed locally on a client PC and not shared are not an option for deployment via Group Policy Objects (GPOs). Also, your clients need to be running Windows 7 or above, and last but not least, you need an Active Directory (AD) installation that can run Group Policy Preferences (GPPs), introduced with Server 2008. Also for this article, I’ll assume you are already comfortable setting up a network printer and creating a printer share and have already done so.
We’ll be using GPPs to configure and control the printer deployment options. If you’ve never used GPPs, you’re in for a treat. It’s one of the best features Microsoft has given admins for really getting creative with Group Policy deployment criteria.
The image above shows that GPPs live inside a GPO. There are separate preferences sections for the Computer Configuration and the User Configuration. Both sections have many of the same options, but there are differences. I highlighted the Printers section in each GPP. So why two sections? How do I know which one to use?
Group Policy can deploy settings to computers or users. The same is true for GPPs. For printing, you can choose to deploy a printer to a computer or by individuals and groups; the difference comes down to how you want to manage your printers.
Deploying a printer via GPPs to a computer will install it for all users that log in to a client computer and only on that computer. Conversely, a deploying a printer via GPPs to a user will only install it into the profile of the user you specify. However, installing printers per user will install them everywhere that user logs in.
You should install a printer reserved for the executives via the User Configuration; manage a printer needed for all users of a computer via the Computer Configuration. Here’s the interesting part though—you could deploy the same printer using both methods if you needed to, but it may get a little challenging trying to troubleshoot issues. So I don’t recommend you do this.
Create three new security groups in AD (SharedPrinter_Sales, SharedPrinter_IT, SharedPrinter _Managers) and add the department users to them (you can automatically add users to domain groups by following the article “Creating a Dynamic Group in Active Directory”). You can create groups in the Active Directory Users & Computers console or using the New-ADGroup cmdlet:
New-ADGroup "SharedPrinter_Sales" -path 'OU=Groups,OU=Paris,DC=woshub,DC=com' -GroupScope Global –PassThru
GPMC.msc), create a new policy print_AutoConnect and link it to the OU with the users.
\\srv-par-print\hpsales(in my case all printers are connected to the centralized print server
\\srv-par-print). Here you can specify whether to use this printer as the default printer;
Also there is an old GPO section to configure printers: Computer Configuration -> Policies -> Windows Settings -> Deployed Printers, but this method is less flexible than the one using GPP described above.
When using this printer deployment Group Policy, new printers will be connected on user computers only if the corresponding printer driver is installed. However, the problem is that non-admin users don’t have permission to install print drivers. In this case, you need to configure Point and Print Restriction policy.
To correctly connect printers for any users, you will have to configure the Point and Print Restrictions policy, as well as the addresses of the print servers from which users are allowed to install drivers and printers.I will remind you that on security reasons Microsoft has restrict the installation of non-package-aware v3 printer drivers since 2016. See the article Unable to install non-package-aware print drivers.
If you connect your printers using the User Configuration Policy, go to User Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> Printer -> Point and Print Restriction. Enable the policy and configure it as follows:
Also, enable Package Point and Print – Approved server policy in the GPO section User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers and set the list of trusted print servers.
After you restart the computer, the assigned shared network printer will be automatically installed and connected at the user logon.
I have walked you through the most important options you need to configure to deploy a printer successfully to a group using GPPs. These options are super powerful, and I encourage you to explore the options to see how they can help you configure client PCs and servers in ways you may have never considered. If you have any follow-up questions about how to deploy printers, please leave a comment below. Thanks for reading, and I hope this becomes a useful guide you can refer back to any time you need a refresher on printer deployment options. Previously, to install and connect users’ printers I had to use PowerShell scripts. These scripts need to be run as Startup GPO scripts, and Group Policy Filtering can be used to target the printer installation. However, in my opinion it is much easier to use GPP to deploy printers.