Let’s look at how to automatically install and connect printers to specific users, computers and groups in an Active Directory domain using Group Policy (GPO). It is very convenient when available (assigned) printers are automatically installed and connected when a user first logs on to a domain computer.
Consider the following configuration: there are 3 departments in the organization. Users of each department must print documents on their own color shared network printer. As an administrator, you have to configure the automatic deployment of network printers for users depending on their department.
This post assumes the use of Group Policy Preferences – an extension of the GPO that introduced in Windows Server 2008. The instruction will be applicable for AD environment with the domain level of at least Windows Server 2008, and clients at least Windows XP SP3 and newer.
Deploying Printers to Users via Group Policy
Create three new security groups in AD (SharedPrinter_Sales, SharedPrinter_IT, SharedPrinter _Managers) and add the department users to them (you can automatically add users to domain groups by following the article “Creating a Dynamic Group in Active Directory”). You can create groups in the Active Directory Users & Computers console or using the New-ADGroup cmdlet:
New-ADGroup "SharedPrinter_Sales" -path 'OU=Groups,OU=NY,DC=contoso,DC=com' -GroupScope Global –PassThru
- Run the domain Group Policy editor (
GPMC.msc), create a new policy print_AutoConnect and link it to the OU with the users. If you have a small number of shared network printers in your domain (up to 30-50), you can configure them using single GPO.
If you have a complex domain structure and you are delegate some AD administration tasks to branch administrators, it is better to create several printer deployment policies. For example, one policy for each AD site or OU.
- Go to the policy-editing mode and expand the User Configuration -> Preferences -> Control Panel Setting -> Printers. Create a new policy item by select New -> Shared Printer;If you want to connect a printer by IP address (directly, without a print server), select TCP/IP Printer.
- Specify Update as an action. In the Shared Path field, enter the UNC address of your printer, for example,
\\print-server-01\hpsales(in my case all printers are connected to the centralized print server
\\print-server-01). Here you can specify whether to use this printer as the default printer;
- Go to the Common tab and specify that the printer must be connected in the current user context (Run in logged-on user’s security context). Also check the Item-level targeting option and click Targeting.
- Using GPP targeting, you must specify that the policy is to be applied only for SharedPrinter_Sales group members. To do it, go to New Item -> Security Group and enter SharedPrinter_Sales as a group name. Please note that this restriction doesn’t prevent a domain user from manually connecting this printer using Windows File Explorer. To restrict access to the printer, you will have to change the printer security permissions on the print server and allow printing only for specific groups.
- In the same way create the printer connection policies for other user groups;
Also there is an old GPO section to configure printers: Computer Configuration -> Policies -> Windows Settings -> Deployed Printers, but this method is less flexible than the one using GPP described above.
When using this printer deployment Group Policy, new printers will be connected on user computers only if the corresponding printer driver is installed. However, the problem is that non-admin users don’t have permission to install print drivers. In this case, you need to configure Point and Print Restriction policy.
Configuring Point and Print Restrictions Policy to Install Printers
To correctly connect printers for any users, you will have to configure the Point and Print Restrictions policy, as well as the addresses of the print servers from which users are allowed to install drivers and printers. I will remind you that for security reasons Microsoft has restricted the installation of non-package-aware v3 printer drivers since 2016.
If you connect your printers using the User Configuration Policy, go to User Configuration -> Policy -> Administrative Templates -> Control Panel -> Printers -> Printer -> Point and Print Restriction. Enable the policy and configure it as follows:
- Users can only point and print to these servers – specify the list of print servers users can install drivers from (FQDN names are specified with semicolon as a separator);
- When installing driver for new connection -> Do not show warning or elevation prompt;
- When installing driver for existing connection -> Do not show warning or elevation prompt.
Also, enable Package Point and Print – Approved server policy in the GPO section User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers and set the list of trusted print servers.
After you restart the computer, the assigned shared network printer will be automatically installed and connected at the user logon.