Deploying Printers to Domain Users and Computers with GPOs | Ranjan.info

5 months ago
by Ranjan Chatterjee

You can use Group Policies (GPOs) to install and connect shared printers to specific users, computers, and groups in an Active Directory domain. In this article, we will look at how to automatically connect a shared printer for a domain user when they log on to a Windows computer.

Consider the following configuration: The organization has 3 departments. Users in each department must print documents on their own color shared network printers. As an administrator, you must configure the automatic deployment of network printers based on the users department.

material:

Deploying Printers to Domain Users via Group Policy

Create three new security groups in AD (SharedPrinter_Sales, SharedPrinter_IT, shared printer _manager) and add department users to them (you can automatically add users to domain groups by following the article “Creating a Dynamic Group in Active Directory”). You can create groups in the Active Directory Users and Computers console (dsa.mscADUC) or by using the New-ADGroup cmdlet:

New-ADGroup "SharedPrinter_Sales" -path 'OU=Groups,OU=Paris,DC=woshub,DC=com' -GroupScope Global –PassThru

  1. Run Domain Group Policy Editor (GPMC.msc), create a new policy print_auto connect and link it to the OU with the target users; How to install drivers and deploy printers on a domain user/computer with Group Policy?
    If you have a small number of shared network printers in your domain (up to 30-50), you can configure them using a single GPO. If you have a complex domain structure with AD sites, organizational units (OUs) and delegate some AD administration tasks to branch administrators, it is better to create multiple printer deployment policies. For example, one policy for each AD site or organizational unit (OU).
  2. Switch to policy-editing mode and expand User Configuration -> Preferences -> Control Panel Settings -> Printers, Create a new policy item by selecting New -> Shared Printer,

    If you want to connect to a network printer by its IP address (directly, without a print server), select tcp/ip printer,

    GPO to add shared printer device

  3. Set forth Updates as a verb. In shared path In the field, enter the UNC address of your shared printer, for example, \\srv-par-print\hpsales (In my case all printers are connected to the print server \\srv-par-print) Here you can specify whether to set this printer as the default printer; Connect a shared printer to a print-server via GPO
    You can publish your shared printer to Active Directory. To do this, enable list in directory On option in printer settings sharing tab. List shared printers in Active Directory In this case, you can find your printer by searching AD (no need to enter printer name manually). When you choose your printer just click on the button with three dots, click find now button, and select the Dots printer name from the list. Search for shared printers in Active Directory
  4. go to General tab and specify that the printer must be connected in the current user context (Run in the security context of the logged-on user) Also, check item-level targeting option and click goal setting,
  5. Using GPP targeting, you must specify that this printer connection policy should apply only to members of the SharedPrinter_Sales group. To do this, go to New Item -> Security Group and enter SharedPrinter_Sales as the name of the group; Printer Deployment Targeting: Specify the AD security group to deploy the printer

    Please note that this restriction does not prevent a domain user from manually connecting to this printer using File Explorer. To restrict access to printers, you must change the printer security permissions on the print server and allow printing only for specific groups.

  6. Similarly, create network printer installation options for other user groups. Connect different printers to different security groups

There is also an older GPO section for configuring printers: Computer Configuration -> Policies -> Windows Settings -> Planned Printers. But this way for users to set up the printer is less flexible than the one using GPP described above.

Check that shared network printers are now connected automatically when users log in to Windows.

shared printer gpo . The user is connected to the session via

When using this Group Policy, new printers will be installed for users only if the appropriate print driver is already installed on their computer (drivers must first be manually installed or integrated directly into the Windows image).

If a driver is not installed for this printer, the printer assigned via the GPO will not be associated with the user. In this case, an event with Event ID 4096 will appear in Event Log -> Application Log:

Source: Group Policy PrintersThe user 'HPLaserJet400' preference item in the 'prnt_AutoConnect}' Group Policy Object did not apply because it failed with error code '0x800702e4 The requested operation requires elevation.' This error was suppressed.

Printer install error: 0x800702e4 requires height

The fact is that now Windows users without administrator privileges cannot install printer drivers, even if the Point and Print Restrictions policy is set.

Allow non-admin users to install printer drivers via GPO

In 2021, a critical vulnerability was discovered in the Print Spooler service, to address which Microsoft changed the default behavior of Windows when installing print drivers (PrintNightmare CVE-2021-34527). Now users cannot install printer drivers (KB5005033) without administrator permission, including using the Point and Print Restrictions GPO option. Windows drivers (signed and unsigned) should only be installed by administrators.

However, there is a solution that will allow non-admin users to install printer drivers. To do this, you will need to change your GPO.

  1. Go to the following GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. enable option Tools: Prevent users from installing printer drivers;
  2. Now go to Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation. Add printer device class GUID to it Allow non-administrators to install drivers for these device setup classes Parameters {4658ee7e-f050-11d1-b6bd-00c04fa372a7} And {4d36e979-e325-11ce-bfc1-08002be10318}, This will only allow the installation of print drivers;
  3. go to Computer Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> Printers, Enable policy point and print restrictions, Here you need to specify the list of your print servers (Users can only point to and print to these servers) thereby allowing you to install the print driver. to select Do not show warning or upgrade prompt For the remaining two options;
  4. Configure point and print restriction policy to install print drivers
  5. Add a list of your trusted print servers to the parameter Package Point and Print — Accepted Servers,Configuring policy: Package Point and Print - Accepted Servers
  6. ,Now the most important point!!) To allow the installation of printer drivers without elevated privileges (for non-administrator users), you must temporarily change the value of the RestrictDriverInstallationToAdministrators registry parameter to 0. Administrators Restrict Driver Installation Feather 0,

On a standalone computer, you can change this registry parameter with the command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

To change this registry parameter on a user’s computer via GPO, you need to create a new Group Policy Preference Rule Computer Configuration -> Preferences -> Windows Settings -> Registry, Create a registry parameter with the following settings:

Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value name: RestrictDriverInstallationToAdministrators
Type: REG_DWORD
Value: 0

RestrictDriverInstallationToAdministrators registry item to bypass PrintNightmare fix

go to General Enable tabs and options Delete this item when it is no longer applicable,

GPO: Remove item when it is no longer applicable

Now update the GPO settings on the client (login again or run gpupdate /force command) and check that the drivers from the print server are now automatically installed. MsiInstaller events should appear in the Application log: 

EventID 1040
Beginning a Windows Installer transaction: C:\Windows\system32\spool\DRIVERS\x64\CIOUM64.MSI. Client Process Id: 7240.

Eventid 1040 MSI Installer Install Printer Driver

Such a GPO will allow any non-administrator user to upgrade or install shared printers and drivers from the specified print server without prompting for any information.

Note that only signed printer drivers (package-aware v3 print drivers) can be installed this way (with packaged=True value drivers Section of Print Management Console – printmanagement.mscSee the article Unable to install a non-package-aware print driver.

Aware v3 print drivers packaged in windows

If you try to install a printer with an unsigned driver via GPO, it will not be deployed despite the RestrictDriverInstallationToAdministrators parameter: 

The user 'HP2500' preference item in the 'prnt_AutoConnect {GUID}' Group Policy Object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

You may also like

Leave a Comment