Tuesday, November 19, 2013

Windows Server 2012 - Print Management: Part 2 - publishing and deploying printers via Group Policy

There are several options for providing the end-user with access to shared network printers.
 
But first, there is one assumption and one condition I am making for the following exercises:
 
  1. The user accesses the printer via the print server we have configured in the previous post. Printing directly to the network printer is an option but does not allow for centralized management. So in this scenario, we are assuming access via the print server.
  2. The printer must be installed on the printer server - and shared.
 

I would also like to specify the computers used for this exercise:

- 1 Windows 2012 domain controller
- 1 Windows 2012 member server (and print server)
- 1 Windows 7 SP1 client machine.



Manual discovery and installation of the printer by the user

Although not the optimal method, except for small environments perhaps, users, with some guidance and good directions, could add the printer to their computer themselves.

Note: as we shall see, the installation of print drivers by standard users complicates this option.
 
The user goes to "Start" and then "Devices and Printers" just as they would at home for adding a printer connected via USB cable. They select the option "Add a printer" and would proceed as instructed below.
 
 
1. Select the "Add a network, wireless or Bluetooth printer".




2. Consider the following screen... No printer was found. So the user must know where to find the printer. This is probably already creating frustration for the person that "just wants to print" but let's have them click on  "The printer that I want isn't listed".



3. In the "worst case scenario", the printer is not even published in Active Directory. The user will have to enter the printer location manually. They should select the option indicated below and enter the name of the print server (preceded by two back slashes) and then, after another back slash, the name of the printer. For example:



The user could also browse for the print server and then the printer itself.
 
Note: there is a browse button to the right of  "Select a shared printer by name".
 
So the user, in theory, could select SVR-004 (our print server for this exercise)...


And then "Main Office Printer":




This option is not likely to be popular among users. They must know the name of the print server and then the printer.

What can we do to facilitate matters?



Publish the printer to Active Directory

First, we can publish the printer in Active Directory so it appears among the search results. On the print server, we have to right-click on the printer and select the "List in Directory" option.





On the client side, the user selects the "Find a printer in the directory... " option:



And after publication, the user sees this:




Better yet, the printer appears as shown below when the user opens the "Add a printer" tool:








This does facilitate matters but there is one more obstacle (that would exist if the printer was not published in Active Directory as well):

The standard user (by default) cannot install print drivers:







This obstacle can be overcome (supposedly) by modifying security settings with a Group Policy Object.

I'll assume the reader possesses basic knowledge of Group Policy and concentrate on this particular problem.

In theory, we have to configure 3 parameters in our GPO:



Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Devices: Prevent users from installing printer drivers - Disabled


Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

User Account Control: Detect application installations and prompt for elevation - Disabled


Computer Configuration\Policies\Administrative Templates\System\Driver Installation

Allow non-administrators to install drivers for these device setup classes - Enabled


Device class for printers is: {4d36e979-e325-11ce-bfc1-08002be10318}


Source:

http://msdn.microsoft.com/en-us/library/ff553426(v=vs.85).aspx



In reality, this does not work. The standard user is still prompted for an administrator password to install the print driver.


This has no effect (alone or in conjunction with the other settings above):





In this screenshot, RSOP shows that the setting is applied but there is still a prompt for driver installation:



Note: this is the "User Account Control: Detect application installations and prompt for elevation - Disabled" setting.


I tried adding a second GUID, thinking maybe that would better cover the printer classes:

{4658ee7e-f050-11d1-b6bd-00c04fa372a7}


However, when all is said and done, this simply does not work as claimed.

Others have come to the same conclusion, as in this TechNet forum discussion:

Configure GPO to allow user install printer driver without administrative right

 
I was able to use the "Point and Print Restrictions", successfully in appearance. There was no prompt and the drivers installed without a problem. However, this function assumes there is a compatible print driver on the client itself that can be used. As the description of the GPO states: "If a compatible print driver is not available on the client, no connection will be made."

So let's take a look at the option of deploying (rather than publishing) printers with Group Policy..




***




Deploy printers with Group Policy

This option, available since Windows 2008, is preferable since it installs printers, on a per computer or per user basis, without any user intervention.

We proceed as follows...
 
In the Print Management console, among the shared printers (Print Servers | SVR-004 | Printers), we right-click on the one we intend to deploy and select "Deploy with Group Policy" in the resulting drop-down menu.




In the section "Group Policy Object", we select (or browse for) the GPO that will be used to deploy the printer:




Note: it is necessary to create a GPO for this purpose (but not necessary to configure it otherwise).

In this case, we will use the GPO named "PRINT":



Once again, we can deploy the printer on a per user or per computer (or machine) basis. In this example, I'll select the per machine option:


We click on "Add":



If all goes well, we should see this message:





In my test, the printer was added to the computer (after reboot and application of Group Policy) with no problem and no user intervention required.


So, of all the methods examined above, deploying printers via Group Policy seems to be the most efficient.



3 comments:

  1. Thanks for sharing this information. I found it very informative as I have been researching a lot lately on practical matters such as you talk about.. print management services

    ReplyDelete
  2. Hi Peter
    I have tried to deploy printers and publish them but they don't show up on a client's computer automatically and I have to manually map them (like you mentioned in Manual Discovery and installation of printer) for each user. Any ideas on what it could be. My print server is 2012 and all clients are win 7 pro 64-bit. Any help would be appreciated.

    ReplyDelete
  3. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me. print management services

    ReplyDelete