With Active Directory Group Policies, you can automatically connect shared network printers to computers and/or users with just a few clicks. An assigned network printer will automatically appear in the list of available print devices when a user logs in to Windows.
This article shows how to deploy printers to users’ computers using GPO in an AD domain environment.
The first thing you need to do is create a shared network printer in Active Directory. These can be shared printers on a dedicated host running Windows Server (with the Print and Document Services role), or printers directly attached to user workstations running desktop versions of Windows.
Open the Print Management console on the computer where the printer is attached (this guide can be used to share either a network printer available via TCP/IP or a local physical printer connected to the host via USB):
Now you need to add printers to your print server. Let’s start by installing the print drivers.
- Go to the Drivers section and run the Add Driver wizard. Select the type of driver architecture (x64 or x86) and click Next;
- On the Printer Driver Selection screen, select the driver for your printer. If the driver you need is not listed, click Have Disk and Browse. Specify the path to the printer inf file and click OK.
- Install the drivers for each printer you want to share on your print server host.
- The Print Management Console will now display the list of installed print drivers.
Now you can install new printers on your print server. Go to the Printers section and select Add Printers from the context menu. You can add a printer to your computer in one of the following ways:
- Search the network for printers;
- Add an IPP, TCP/IP, or Web Services Printer by IP address or hostname;
- Add a new printer using an existing port;
- Create a new port and add a new printer.
In this example, we’ll connect to the network printer by its IP address.
Specify the type of device (TCP/IP device), and the IP address (or the DNS name) of your network printer device (you can leave the port name by default). Check the box Auto detect the printer driver to use.
Then, select the printer driver you want to install (in this example, it is HP Universal Printing PCL6).
Then enter the printer’s name, network name, and description. In the same way, install any additional printers.
The next step is to share your printer (this makes it available to all domain users.)
Expand Print Servers > ServerName (local) > Printers, select the printer you want to share (HP LaserJet M2727 in our case), right-click on it, and select from the menu Manage Sharing.
Specify the share name of the printer. We recommend you set a short, meaningful shared printer name (do not use spaces or special characters in the shared printer name). In our example, we’ve chosen to name it HPM2727_1.
Check the options Share this printer and List in the directory, and then click Apply.
You can now use GPO to deploy this shared printer on users’ computers.
The Group Policy Preferences (GPPs) extension is used to accurately deploy shared printers.
- Connect to your AD domain controller and open the Group Policy Management Console (gpmc.msc), and locate the Organizational Unit (OU) to which you want to deploy shared printer. This OU can contain computer or user objects, depending on which objects you want to make the printer available to;
- Right-click on the OU and select Create a GPO in this domain and Link it here.
- Specify the GPO name. For example, DeployPrinterCAUsers;
- Right-click GPO and select Edit.
Printer deployment settings are located under the following sections:
- Computer Configuration > Preferences > Control Panel Settings > Printers;
- User Configuration > Preferences > Control Panel Settings > Printers.
If you deploy a printer from the Computer Configuration section, it will be installed for all users who log on to a computer. The user’s GPO only allows printers to be added to the logged-in user’s profile.
Select New > Shared Printer. Specify the shared printer name in UNC format (like, \\WKS-IT012\HPM2727_1), or select from a list of printers published in Active Directory.
There are several actions available in the GPO when installing a printer:
- Create — creates a printer if it is not already installed (the printer is created only once, then this GPP parameter is ignored);
- Replace — deletes the printer and re-creates it each time the GPO settings on the computer are updated;
- Update — (default) The printer is created if it has not been previously created. This mode will update any printer settings that have changed since the last GPO update;
- Delete — removes the printer if it was previously installed.
You can immediately assign this printer as the user’s primary print device by enabling the Set this printer as the default printer option.
Update the GPO settings on the client computer and check if the printer is installed automatically when the user logs on (Settings > Bluetooth and Devices > Printers and Scanners).
The GPO should automatically install the printer driver if the user’s computer does not have the required device driver. This only works with Package-aware v3 print drivers. To check that you are using this type of driver, open the Print Manager console > Drivers > check that your driver attributes show Packaged=True.
Other types of drivers will not be installed automatically and the GPP Event Viewer logs will contain an error:
0x80070bcb. The specified printer driver was not found on the system and needs to be download.
You can pre-install the required print drivers on the user’s computers using the command:
pnputil /add-driver "\\Path to print drivers\*.inf" /subdirs
Or you can use a workaround described in the post Allow non-administrators to install printer drivers via GPO.
Note. This article describes how to bypass the Print Spooler security restriction that prevents non-administrative users from installing unsigned print drivers on Windows (check for the PrintNightmare vulnerability described in CVE-2021-1675 and CVE-2021-3452).
How to Deploy Printers to Specific Users in Active Directory
You can use AD security groups to more accurately assign printers to users. Create a new group in AD and add any users you want to assign this printer to that group.
- Edit your printer deployment GPO and go User Configuration > Preferences > Control Panel Settings > Printers;
- Find your printer and open its properties;
- Enable the option “Run in logged-on user’s security context (user policy option)”;
- Check the option “Item-level Targeting” and click on the button;
- Select New Item > Security Group, and specify your target security group name;
- Save the changes. Now this GPO will automatically connect the hp2727 printer only to users in the specified AD group.
- To automatically remove a printer when a user leaves the security group, you can select the ‘Remove this item when it no longer applies’ option.
You can add tens and hundreds of additional printers with a single GPO. Use the Item Level Targeting in GPP to deploy printers to specific user security groups.