Announcement

Collapse
No announcement yet.

Cannot get Group Policy Preferences to map a printer!?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot get Group Policy Preferences to map a printer!?

    I have a domain GPO called "user.printer[mlb].Printermappings" which uses GPP to map printers to specific users.

    I have setup a test OU with a test user with a test Win7 workstation. The GPO is applied to the "TEST_OU" and security filtering set to members of the AD group "lPrn.Printer1.Print". The test user is in the group "lPrn.Printer1.Print".

    This setup works gr8. My problem starts when I setup multiple printers in this GPO and setup Item Level Targeting on each one. For example, I changed the GPO in this way:


    * Select Printer1 properties.

    * On the Common tab, check Item-level targeting. Click the Targeting button.

    * Click New Item\Security Group.

    * In the Group textbox, I put in the AD group "lPrn.Printer1.Print" (w/o the quotes).

    * Radio button "User in group" is selected.

    * OK\OK to close the GPO.


    In theory (my theory that is), Printer1 should map to only users in the security group "lPrn.Printer1.Print".

    In testing, before modifying the GPO (that is, the GPO would map the Printer1 to all users of the OU and group "lPrn.Printer1.Print", the printer maps OK. Once I modified the GPO to include Item-level targeting, the printer no longer maps to the users in that OU who are in that group.


    The reason I am modifying the GPO and using Item-level targeting is that I intend to add ALL printers to this GPO and use the security group membership as the deciding factor as to who gets the printer mapped to their workstation.


    Thanks for helping!

    PS. Server with GPO editor is Win2008 Stnd Sp1 on a Win2K3 domain. Workstations are Win7 Enterprise.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Cannot get Group Policy Preferences to map a printer!?

    OK, I figgered out the problem. When at the step:


    * In the Group textbox, I put in the AD group "lPrn.Printer1.Print" (w/o the quotes).


    GPP does NOT like the fact that you are putting in a group name using manual data entry- you have to browse for the group you want which once selected, adds another textbox to the GPP which contains the SID of the group.


    So why did M$ give us a textbox in which to type an AD group name when it would not work???

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    I have a new problem. I added the group "lPrn.Printer1.Print" to the security of the printer and gave the group "Print" permissions only. Now, GPP fails to install the printer on the workstations. I removed the Everyone group from the Security.

    This is the Event Viewer error:

    The user 'Printer1' preference item in the 'user.PRINTER.[Printer1].PrinterMapping {4F420C5C-32EC-4C5F-9CF6-BAE2CE08F436}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
    Can anyone explain why this is happening? I want to secure the printer so that only members of the AD group can print to it. Thanks.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

    Comment


    • #3
      Re: Cannot get Group Policy Preferences to map a printer!?

      Further to my latest issue, I thought I pointed this out but I have not, so here goes:

      The problem is due to the fact that I have removed the Everyone user from the printer's properties and replaced it with the group "lPrn.Printer1.Print". My goal is to limit the users who can print to this printer using this group.

      Alas, doing this, breaks the GPO as the users are getting Access Denied in their Event Viewers when the GPO tries to install the printer as they logon. If I put the Everyone user back in with "Print" permissions then it works OK again.


      But why, if the group "lPrn.Printer1.Print" has "Print", "Manage Printers" & "Manage Documents" which is more than Everyone!?

      By giving Everyone Print permissions, you are actually giving them "Print" & "Read" permissions. If I remove the "Print" but leave the "Read" permissions, it stops working.

      I do not understand the logic of the difference between Everyone & "lPrn.Printer1.Print". Can someone explain this to me?
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Cannot get Group Policy Preferences to map a printer!?

        Looks like I'm the only one who knows how to solve my problems! I found the issue:

        In the policy you must enable "Run in logged-on user's security context" in the "Common" tab because the printer has to be added in usermode security and not by the system account.
        Thanks anyway.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment

        Working...
        X