Deploying printers via Group Policy Preferences

Deploying large numbers of printers to the correct individuals in a large environment is always a challenge. I personally am a fan of utilizing Group Policy Preferences, and the multiple filters available for the individual preferences.

There are several obstacles that need to be addressed to guarantee the success of your deployment, and I will outline the common issues I have seen.

Within your group policies, you need to disable “Point and Print Restrictions”, which are labeled as:

Package Point and Print – Approved Servers (DISABLED) – this could also be enabled and specify the print server(s) that will be storing your drivers

Only Use Package Point and Print (DISABLED)

Point and Print Restrictions (DISABLED)

Disable Point and Print

These settings can be found at:

Computer Configuration -> Policies -> Administrative Templates -> Printers

With the point and print policy changes being tied to a computer configuration, I personally prefer separating computer configurations from user configurations where they make sense. For example, if the firewalls are to be disabled for computers on the domain, I would usually integrate these settings with the firewall policy, since both are machine based. This also allows for more obvious filtering on the user side, such as not applying a printer deployment GPO to admins (assuming our printer deployment preferences are based on user logins and thus are user based).

I do still see remnant XP machines in environments that are somehow holding out against modernization. These machine also require KB93729 – Group Policy Preference Client Side Extensions for XP to be deployed to the XP machines in order for them to recognize the preferences.

After you have prepped your Active Directory, you will now move on to your print servers…

There are several rules that must be followed in order to deploy printers:

  1. If you are in a mixed architecture environment, do you have the same version of the x86 and x64 driver installed? The driver must have the same driver name and driver version in order to deploy.
  2. Have you set up your print drivers to use the winprint print processor? HP printers are notorious for deviating from this, and must be set to winprint. WINPRINT Please!
  3. I would also verify the use of TCP/IP ports, again HP printers can create a deviation from this. (Did you notice we are utilizing DNS names?)  Printer ports
  4. Printers must be both shared and listed; typically admins will share them but forget to list them. You can modify this setting in the share tab of each printer, or select all of the printers, right click, and “List in Directory”.

Listing in directory

Other recommendations are going to be dependent upon your environment. If you are dealing with large numbers of printers, it will also be a good time to explore using PowerShell to modify settings en masse.

Once we have made our adjustments on the print server, we can create a GPO and edit it to create our preferences. The user preferences for printers may be found at User Configuration -> Preferences -> Control Panel Settings -> Printers

Selecting GPP in User Settings

I typically deploy “Shared Printers”, but in the case where you just want to push local printer connections, you would choose “TCP/IP Printer”. This would be useful for a remote office with  out a local server, that needs to print directly to their printer to avoid “hairpinning” all of their print jobs.

To Share or Not to Share

Create the appropriate printer connection type by right clicking on the “Printer” preference and choosing “New” and your printer connection type.

Group Policy Preference Actions… you will have the choice of Update, Create, Replace, and Delete. This may be up to debate, but I have always been under the impression that the default of “Update” is typically best for most deployments. This setting will check the preference, and deploy or modify as needed. “Replace” is an absolute, and will always deploy the printer, and overwrite it if it already exists. “Create” is also very common, and will create or ignore if the printer has been deployed. The last setting is fairly obvious and requires no explanation.

Now if you listed your printers correctly, you will be able to see them when you choose your printer “Share Path”. Simply select your printer here.

You do have the option to alienate end users and “Set this printer as the default printer…”

Now select the “Common” tab – this is where the possibilities start to multiply, specifically under “Item-level targeting”. Item-level targeting is a filtering mechanism available for every Group Policy Preferences setting available. Do you want to filter the deployment of this printer by IP address? You can filter by OU, by user, by security group. You can even filter by terminal session, so if you are using a terminal server, you can filter by session or the the client’s IP address. We also can create statements, such as “The user is a member of the security group “Human Resources” and the IP address of the workstation is “10.0.10.0/24” which allows this user to see the HR printer in our Richmond office.

As a foot note to the item-level targeting, I typically like to exclude Domain Admins for example from having printers deployed to them as they bounce between machines. Typically, I will highlight the GPO, choose the “Delegation” tab in the GPO pane, and choose “Advanced”. This will open a security settings window. Add or select the appropriate security group, and “Deny” the “Apply Group Policy” security setting.

Denying Domain Admins


Leave a Reply

Your email address will not be published. Required fields are marked *