One of the most important features of Group Policies in the Active Directory domain environment is the possibility to automatically connect a shared network printer to a group of computers/users with a few clicks. Thus, when a user login to Windows, an assigned network printer will automatically appear in the list of available print devices.
This article will show you how to install and configure a print server on Windows Server and deploy its printers on users’ computers via GPO.
Deploy Shared Printers to Active Directory Users with GPO
So, this time we will take a look at how to deploy shared network printer connections to users from a specific Active Directory OU by using Group Policy. We will use a dedicated host running Windows Server 2019 as a network print server in this case.
Tip. To deploy printer connections using Group Policy, the Active Directory Domain Services (AD DS) schema version must be at least Windows Server 2008 (check if you need to update Active Directory schema).
Step 1. Install Print and Document Services Role on Windows Server
Open the Server Manager console and select to install the Print and Document Services role (if not already installed).
From the Role services list select to install Print Server service.
Tip. Also, you can install the Print Server role with management tools using the following PowerShell command:
add-WindowsFeature Print-Server, RSAT-Print-Services
Step 2. Installing Print Drivers and Printers on Windows Server
After role installation is completed, open the Print Management console from the top menu Server Manager > Tools. Or just run the command:
printmanagement.msc
Now you need to add printers to your print server. Let’s start by installing the print drivers.
In the Print Management console, go to the Drivers section and run the Add Driver wizard. Select the type of driver architecture (x64 or x86) and click Next.
On the Printer Driver Selection screen, select the driver for your printer. If the driver you need is not listed, click Have Disk and Browse. Specify the path to the printer inf file and click OK.
Similarly, install the drivers for all printers you want to connect to your print server.
Select a previously downloaded driver. In our example, it is the universal HP driver, click Next and then Finish. Repeat the operation for your other devices. Now the list of installed drivers is displayed in the Print Management console.
Now you can install new printers on your print server. Go to the Printers section and select Add Printers from the context menu. The Network Printer Installation Wizard offers you 4 ways to install printers in the Print Management console:
- Search the network for printers;
- Add a TCP/IP or Web Services Printer by IP address or hostname;
- Add a new printer using an existing port;
- Create a new port and add a new printer.
We’ve chosen the second option (installing the printer by IP address). In the next window you need to specify the type of device (TCP/IP device), and the IP address (or the DNS name) of your network printer device (you can leave the port name by default). Check the box Auto detect the printer driver to use.
Then, from the drop-down list, select the printer driver you want to install for this device (in this example, HP Universal Printing PCL6).
Then enter the printer name, network name, and description. Install all the necessary shared network printers in the same way.
Step 3. Deploying Shared Printer with GPO
Expand Print Servers > ServerName (local) > Printers, select the printer you want to deploy (HP LaserJet M2727 in our case), right-click on it, and select from the menu Manage Sharing.
Check the options Share this printer and List in the directory, and then click Apply.
Right-click on your printer in Print Management snap-in and choose Deploy with Group Policy.
Now press Browse.
Using the Domain Browser, you need to locate the OU (organizational unit) on which you want to deploy the printer, and then click Create a New Group Policy Object button.
Enter the policy name and click Ok. You can assign the created policy to domain users, computers, or both.
- Per User — this setting assumes that a specific printer is connected on a user desktop, regardless of which computer it is logged on. This is useful if you have a VDI, or each user can use different workstations (for example, in a Call center). This policy should not be used if users are distributed across different buildings or office branches. Otherwise, the user will have to take a walk to pick up his documents from the printer;
- Per Computer — no matter which user is working on the computer, it will always print on a specific printer (all users of a computer can access the printer). This printer connection policy is commonly used in large distributed corporate networks.
Since we have linked policy to OU named Managers with only user’s objects, we need to select The users that this GPO applies to (per user). Press the Add button in order to add your shared printer to the GPO.
The configuration is now completed, just press Apply.
Step 4. Check Printer Deployment Options in GPO
Now open the Group Policy Management Console (GPMC.msc), and find the policy you created earlier from the Print Management console (ManagersPrinter in our case).
Check the current policy settings by going to the Settings tab. You can see the UNC path of the shared printer in the section User Configuration > Policies > Windows Settings > Printer Connection. This path should contain the name of your print server. For example, lon-prnt01 HP Laser Jet M2727.
Tip. To see the Printer Connections node in the GPO editor on Windows Server, you need to install the RSAT feature Print & Document Services Tool.
Update the policy settings on the client (gpupdate /force). Next, you need to verify if a new shared printer HP LaserJet M2727 appeared in the list of connected printers.
Tip. To increase the speed of processing and the applying of Group Policy, disable the use of computer settings on the Details tab (Computer Configuration settings disabled). If you assigned a printer policy to a computer OU, you need to disable the User configuration GPO section. You can also face with The Processing of Group Policy Failed error.
Your policy will automatically assign the HP Laser Jet M2727 printer to all users from the selected OU.
How to Install Printer Using Group Policy Preferences?
On Windows Server 2008 (Windows 7) and newer, you can install printers using Group Policy Preferences (GPPs).
- Open the Group Policy Management Console (gpmc.msc), and find the OU you want to deploy shared printers to;
- Right-click on the OU and select Create a GPO in this domain and Link it here.
- Specify the GPO name. For example, DeployPrinterCAUsers;
- Click on your new GPO and select Edit.
Printer deployment settings are located under the following sections of the GPO Editor:
- Computer Configuration > Preferences > Control Panel Settings > Printers;
- User Configuration > Preferences > Control Panel Settings > Printers.
To install a printer, select New and select one of the modes in the drop-down menu:
- Shared Printer;
- TCP/IP Printer;
- Local Printer.
This policy allows users to connect printers not only from the print server, but also to configure the printing of documents from users directly to a network printer. In this case, the policy settings specify the IP address or device name of the printer, and the print server from which the computer can install the driver.
To connect the printer by its FQDN, enable the Use DNS name option.
Specify the UNC name from which the client can obtain and install the driver for this printer in the Printer Path.
There are four Actions available in GPP when installing a printer:
- Create — creates a printer if it has not been installed before (the printer is created only once, then this GPP parameter is ignored);
- Replace — deletes the printer and re-creates it each time the GPO settings on the computer are updated;
- Update — in this mode, the printer is created if it was not previously created. In addition, this mode updates any printer information that has changed since the last GPO update;
- Delete — removes the printer if it was previously installed.
You can immediately assign this printer as the user’s primary printing device. To do this, enable the Set this printer as the default printer option.
Note. Please note that in the summer of 2021, a significant vulnerability was discovered in Windows Print Spooler, which was named PrintNightmare (CVE-2021-1675 and CVE-2021-3452). In this regard, Microsoft has released special updates that fix this spooler bug. These updates broke the usual mechanism for installing printers through GPO. Windows now block the installation of printer drivers for non-admin users by default.
To solve this problem, you can use the workarounds described in the article Allow non-administrators to install printer drivers via GPO, or you can pre-install the necessary print drivers on the user’s computers using the command:
pnputil /add-driver "\\Path to print drivers\*.inf" /subdirs
Now update the GPO settings in the user session and the new default printer will appear in the user session (Control Panel\Hardware\Devices and Printers).
Check if you have a new shared network printer connected:
- Click on the printer and select Print Properties;
- Go to the Ports tab;
- Make sure the printer is connected via the Standard TCP/IP Port and points to the IP address or DNS name of your shared network printer.
You can also list installed printers using the PowerShell command:
Get-Printer
You can use AD groups to target printers to users more accurately. Create a new group in AD (for example, mun-managers-hp2727), and add all users whom you want to assign this printer to this group.
- In the GPMC, switch to the ManagersPrinter policy edit mode, and go to the section User Configuration > Preferences > Control Panel Settings > Printers;
- Find your printer and open its properties;
- Enable the option “Run in logged-on user’s security context (user policy option)”;
- Enable the option “Item-level Targeting” and click on the button;
- Select New Item > Security Group, and specify the group name domain\mun-managers-hp2727;
- Save the changes. Now this policy will automatically connect the hp2727 printer only to users from the specified AD group.
You have configured a policy for adding a printer, but if you remove a user from the specified security group, the shared printer won’t be automatically removed.
When configuring the printer connections through Group Policy Preferences, you need to create two separate policies at once: one for connecting a printer according to a specified condition, the second for disconnecting a printer from a user if this condition doesn’t meet. In this example, you need to copy your policy in the GPMC and switch to edit mode.
- Specify Delete as Action in the policy, also check the option Delete all IP Printer connections;
- Go to GPP Item Level Targeting settings. Select the condition that assigns the printer to the domain security group, and click Item Options > Is Not.
- Save your changes. You now have two Group Policy Preference entries for this printer: one installs the printer if the user is a member of a group, and the other removes it if the user is not added to the AD security group.
You can add tens and hundreds of additional printers with a single GPO. Use the Item Level Targeting in GPP to deploy printers to specific user security groups.
3 comments
Will this work for printers installed on a server and users install it by a vm network shared name instead of IP address?
The remove part doesn’t work for me. Any troubleshooting tips?
thank you bro, you saved my freelance project :)
regards,
haikal shiddiq (hicall)