Deploying printers via Group Policy lets you manage your printers from a single console and also gives you granular control over which printers to deploy to individual client PCs without needing any additional software.

Prerequisites ^

There are a few prerequisites for this method of deployment to work, but the requirements are ridiculously easy to meet. First off, this method of deployment is for network printers or shared printers.

Any printers installed locally on a client PC and not shared are not an option for deployment via Group Policy Objects (GPOs). Also, your clients need to be running Windows 7 or above, and last but not least, you need an Active Directory (AD) installation that can run Group Policy Preferences (GPPs), introduced with Server 2008. Also for this article, I'll assume you are already comfortable setting up a network printer and creating a printer share and have already done so.

We'll be using GPPs to configure and control the printer deployment options. If you've never used GPPs, you're in for a treat. It's one of the best features Microsoft has given admins for really getting creative with Group Policy deployment criteria.

Computer vs. user deployment ^

Group Policy Preferences options

Group Policy Preferences options

The image above shows that GPPs live inside a GPO. There are separate preferences sections for the Computer Configuration and the User Configuration. Both sections have many of the same options, but there are differences. I highlighted the Printers section in each GPP. So why two sections? How do I know which one to use?

Group Policy can deploy settings to computers or users. The same is true for GPPs. For printing, you can choose to deploy a printer to a computer or by individuals and groups; the difference comes down to how you want to manage your printers.

Deploying a printer via GPPs to a computer will install it for all users that log in to a client computer and only on that computer. Conversely, a deploying a printer via GPPs to a user will only install it into the profile of the user you specify. However, installing printers per user will install them everywhere that user logs in.

You should install a printer reserved for the executives via the User Configuration; manage a printer needed for all users of a computer via the Computer Configuration. Here's the interesting part though—you could deploy the same printer using both methods if you needed to, but it may get a little challenging trying to troubleshoot issues. So I don't recommend you do this.

Printer configuration ^

Getting started deploying printers with GPPs is a very straightforward task. The first thing we need is a Group Policy to work with. I expect you understand how to link a GPO to an organizational unit (OU) and target the GPO correctly. From there, you need to decide if you want to deploy printers to users or computers. Most of the printers in my network are deployed to groups of users rather than to computers regardless of who is logged in. For this scenario, I would use the User Configuration section of the GPO.

Adding a printer to deploy is a wizard-driven process. You'll add one entry for each printer you wish to deploy. Since I want to deploy to users, I open my printer deployment GPO and drill down to the preferences section of the User Configuration. Then I right-click on the Printers option in the left-hand side of the window. There are three choices for deployment: Shared Printer, TCP/IP Printer, and Local Printer. I've set up my printers to use shared names, so I will select the Shared Printer option.

Adding a printer via Group Policy Preferences

Adding a printer via Group Policy Preferences

In the dialog box that opens, you'll configure all the options for the printer. There are two tabs of configuration options. First, we'll work on the General tab, which has three fields to configure.

New shared printer properties

New shared printer properties

There are there pieces of information needed to add a printer to the GPO: printer path, printer update action, and who will receive the printer installation. Let's walk through each one.

  • Printer path: This is the shared path of the printer, and you'll add the info to the Share path entry of the dialog box.
  • Action: This field controls what will happen when the GPO runs on the client PC. There are four options here: Create, Replace, Update, and Delete.
    • Create and Delete do exactly as you would expect. Selecting one of these options tells the GPO to create the printer if it isn't already installed or delete the printer if installed previously.
    • Update causes the GPO to update any printer info since the last time the GPO ran on this machine.
    • Replace will cause the printer to "replace" the installed shared printer every time the GPO runs. Let me explain further.

For printer installs, Create, Update, and Replace are the logical options, but what's the difference between those choices? The Create option will install a printer once and then ignore any updates on subsequent GPO refreshes. Update will install a printer if it is missing (the same as Create) but also update any changed information since the last refresh. Lastly, Replace will delete a printer and reinstall it on every GPO refresh.

When would you use the Replace option? Printer migrations!

I use Update for all of my printers. However, if I change the path of the printer from an old server to a new server, Update creates a second printer with the same name but a different path. Replace fixes this by effectively deleting the print queue and reinstalling each time the GPO runs.

This is not a great option for everyday work, but for migrations, Replace is the best option for deleting old printer queues and replacing them with the newer versions. There is an option to set a printer as a default printer, but I usually do not set that value. Instead, I let the end users decide which printer they want to be their default.

Item-level targeting ^

Once you have configured the printer path and the Action, you need to configure who will receive this printer. Item-level targeting describes the selection criteria, and you can fing it on the Common tab.

Common tab and item level targeting options

Common tab and item level targeting options

The common tab has some often-overlooked options I want to bring to your attention. I mentioned item-level targeting, which has its own checkbox and button. We'll need to check the box to enable the option to select who gets the printer. But before we explore this option, I want to point out the checkbox for Run in logged-on user's security context (user policy option). This checkbox is critical for deployment.

GPPs run under the local system account. This box tells the GPO to install the printer as the logged-on user rather than as the system. If you do not check this box, the printer install will fail because the local system account doesn't have privileges to the shared location of the printer path.

This checkbox has burned me many times, so I want to make sure you always remember to think about this option when deploying printers, mapped drives, or shortcuts that point to network locations.

Finally, let's review how you can "target" the printer for a subset of users. I'll start off by saying that last sentence is actually not 100% correct. If you refer to the picture below, you'll notice two choices: Security Group and User. These will probably be how most admins deploy their printers, but they're certainly not the only choices you have.

There are many different options for selection criteria, such as by OU or IP address range. You can get very creative with how you deploy your printers. I'll walk you through deploying to a group of users.

Item level targeting options

Item level targeting options

Selecting the Security Group option  presents me with a second dialog box that lets me enter a group name. This is standard AD lookup stuff and probably looks familiar.

Deploying a printer to a security group

Deploying a printer to a security group

Once you have selected a valid security group, click OK twice, and the dialog box disappears. At this point, you have configured the printer for the deployment. I will mention that there are other options in the Targeting Editor window for making really complex selections, but I'll leave that for you to explore on your own.

Security group selection

Security group selection

You can configure hundreds of printers to deploy from one single GPO if you prefer. This is all because of the granular control you can apply to each printer via GPPs. When you configure a few more printers, your GPP panel will look like the image below.

List of deployed printers

List of deployed printers

Conclusion ^

I have walked you through the most important options you need to configure to deploy a printer successfully to a group using GPPs. These options are super powerful, and I encourage you to explore the options to see how they can help you configure client PCs and servers in ways you may have never considered. If you have any follow-up questions about how to deploy printers, please leave a comment below. Thanks for reading, and I hope this becomes a useful guide you can refer back to any time you need a refresher on printer deployment options.

39 Comments
  1. Melvin Backus 3 years ago

    Good walk through. I’ve been using this for a while. I occasionally run into issues with drivers not being installed however. Any tips on how to deal with that?

    • Author
      Mike Kanakos 3 years ago

      Hi Melvin,

      Drivers always seem to be a vendor issue for me. Unfortunately, the best solution I know of has been to find a better driver from the vendor, if possible.

      Also, keep in mind you need to install printers via GPO under the user context; that can definitely make drivers fail. Lastly, I didn’t mention in this article, but you could also make sure you have “point and print restrictions” disabled via GPO. PnP restrictions need to be relaxed when you have drivers to install and the vendor hasnt updated their installer to follow modern guidelines. You can read about how to do that here: https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/ .

      Also, one of the writers on this site, Joseph Moody has a website and he has written many great articles on printer deployments. You should check his site out as well at:
      https://deployhappiness.com/

       

  2. James Gullish 3 years ago

    Great article. For issues where Package-aware print drivers are needed for group policy to deploy the printer when driver is not already on the systems. Brother drivers for example were not meeting that requirement.

    Checking Printers for PackageAware value which will require being an odd number higher by 1 if its currently an even number for a printer.

    Powershell ->

    get-childitem “HKLM:\system\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers” -recurse | get-itemproperty -Name PrinterDriverAttributes | ft PSChildName,PrinterDriverAttributes

    If you find an even number for PrinterDriverAttributes, navigate

    regedit->HKLM:\system\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\That Driver Name

    Then manually increase the PrinterDriverAttributes of affected printer by one. Ex. 4 becomes 5.

    Then on PC, reboot and resign on as limited user for GP to obtain printer driver and install.

    I cant remember offhand if the print server sharing the printer object needed reboot too.

    Another thing is if Group Policy is mapping a local TCPIP printer on a device, make sure server share gives everyone group print access else obscure application warning 4098 for Group Policy Printers – Group Policy Object did not apply because it failed with error code ‘0x800700005 Access is denied.’

    • Author
      Mike Kanakos 3 years ago

      Thanks for sharing that great info, James!

      When reading your comments, I do vaguely remember the bits you mentioned about incrementing up by one. I haven’t had to personally to do that in a while so that was a reminder to migrations past. Printer drivers and the deployment can definitely be a pain. You definitely are giving some useful technical information for those problematic situations!

      For people reading this who MAY still have the chance to influence a purchase, this is why you do bake-offs and scorecards. You want to buy products from vendors who make quality products with great support, especially with printers that you may have to support for many years. The best way to do that is to test BEFORE purchase. Test for yourself with a demo product, don’t take the sales rep’s word!  You won’t be on support calls with the sales rep once the equipment is purchased!

      Printer features are important, but also look at how often vendors release updates (like new drivers and firmware) as well as how well doe the drivers work in automation scenarios like the one outlined in this article.

  3. Nick Casagrande 3 years ago

    great article, thank you!  which option should be used for new users for the time first so it remembers which one they chose as the default the next time they login?  

    • Author
      Mike Kanakos 3 years ago

      Hi Nick,

      Thank you for the kinds words! Glad my article is helpful. 

      You can and should use "Update". Whatever the end-user selects as their default printer will remain after a group policy update. 

  4. Nick Casagrande 3 years ago

    So let me get this straight.  i setup the gpp with a shared printer (update), user logs in and gets 5 printers from the policy, changes his default to p3, logs off, logs back in, the default will then be set to p3 on the next logon?

    ps – thank you for the help.

  5. Paul 3 years ago

    Thanks for a great article. Probably one of the best I have seen for a long time – and I have been in IT support for over 30 years!

    We find that on a few occasions that Group Policy doen't always apply when a user logs in, so have to run gppdate to force it.

    So as a backup and to tidy up freshly imaged PCs, we also use a user GP login script to delete any old printers and drivers – especially Microsoft, such as OneNote, ImageWriter and Adobe PDF writer etc. We image our student PCs about twice a year so continully have to get rid of unwanted local printers once they have re-imaged

    Example below

    Rem Removes unwanted local print devices from Windows, such as MS OneNote and XPS devices
    %WINDIR%\system32\cscript %WINDIR%\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -xo

    Rem Remove unwanted server queues from Windows
    %WINDIR%\system32\cscript %WINDIR%\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -x

    Rem Removes printer drivers from devices not in use
    %WINDIR%\system32\cscript.exe //NoLogo "%WINDIR%\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs" -x

    Rem Adds Network Print Queue
    %WINDIR%\system32\cscript.exe %WINDIR%\system32\Printing_Admin_Scripts\en-US\prnmngr.vbs -ac -p \\printservername\queuename

    Rem Sets default printer
    %WINDIR%\system32\cscript.exe %WINDIR%\system32\Printing_Admin_Scripts\en-US\prnmngr.vbs -t -p \\printservername\queuename

  6. Peter Line 3 years ago

    Great article Mike.  What I am currently battling with is that we have a bunch of printers that deploy via GPOs to multiple Terminal Servers but what we often find happening is that the default printer does not get set (ie no green tick appearing) and this has a flown on effect into the application level where some apps just don't pick up a default printer as a result (often can be blank) and also we see multiple instances of the same printer showing up when you right click on the printer.  Have you ever seen this symptoms before and know how to remedy?  Thanks

    avatar
    • Author
      Mike Kanakos 3 years ago

      setting the default printer is a challenge, which I have never had a ton of success with. 

      I usually do not set a default via GPO and let the user set their preference. On term servers though, that can be frustrating. Maybe a seperate script or reg key import to set default that is not part of the printer deploy GPO? 

  7. Rahul 3 years ago

    Hello Mike,
    Great article. However, I'm trying to deploy the printers to computer configuration since our users are always changing. The deployment is not working. I've the correct drivers and I can manually add the printer to any workstation with the shared name.

    I have disabled PnP, I've added domain computers to the delegation tab on the gpo and authenticated users are also present on the delegation. I've linked the GPO directly to the domain and then targeting the printers to different OUs. I even enforced the GPO just incase there was another GPO that was blocking it.

    Any pointers?

    • Author
      Mike Kanakos 3 years ago

      hard to say in your case… but maybe post an error that I (or the community) can comment on?

  8. Zubair 3 years ago

    How to test this policy on client ?
    actually i in working on it from last 5 hours but didn't got it work.i cannot see printer on client machine after gpupdate or restart.

    • Author
      Mike Kanakos 3 years ago

      How to test this policy on client ?
      actually i in working on it from last 5 hours but didn't got it work.i cannot see printer on client machine after gpupdate or restart.

      Hi Zubair… Sorry to hear your having issues… welcome to GPO's, they're so easy, intil they're not.. crying

       

      i cannot tell you what is wrong the information you provided. Here's some tips you can use to help figure out your issue…

      1. Run the Group Policy Results wizard. Does it show the GPO being applied to the computer? 
      2. Check the event logs (system and GPO event logs)
      3. How did you apply your GP settings? Are you trying to apply user settings to computers? How 'bout computer settings to users? 
      4. Are you doing any special security filtering? 
      5. Any blocking of inheritance ?

      That's the best I can without more info from you. Good luck!

       

  9. Ulman 2 years ago

    Hello Mike, thanks for the explanations. I am trying to set something up that is rather unusual. We have a new customer and they didn't have a terminal server before, but want one. So I set up the terminal server, set up the OUs for User, Computers, Servers and one for the Terminal Server.

     

    I created the GPO, distributing the printers through the users preferences, because we will probably need to restrict some of them. I want the GPO to apply only to the Terminal Server and not to the customer personal laptops/pcs. When I link the GPO to the Terminal Server OU, then nothing happens. If I were to link the GPO to the User OU, then it would mess with their printers as they probably have installed those printers manually so far, making those printers appear twice.

     

    I know that it probably be best to delete all the manually added printers first and then just make link the GPO to the User OU, but I was wondering if I could get around it, as it would be hard to get everyone to comply. This is just a testphase atm, so I doubt that I'd get the manager and other higher-ups to comply with getting their printers deleted and readded.

  10. Marco Koch 2 years ago

    Hi Mike

    Thank you for this great article, really one of the best in this topic! 

    Maybe you can help me with my question. I have deployed the printers from the print server, in this case they are under GPO User Configuration\Policies\Windows Settings\Deployed Printers 
    What is the difference between you method any mine? 

    I'm experience issues with the reliability. Some users don't get the desired printers.

    Thank you for your help.

    Best Regards

    • Vandrey Trindade 2 years ago

      "Group Policy Preferences and Setting the Default Printer

      On a final note, you may encounter some guides that recommend the use of Group Policy Preferences for printer deployment instead, and in some scenarios that method does have advantages. However it is more complicated to manage and does not integrate with the Print Management console, hence why I prefer the standard Group Policy. There is one particular situation where they can be particularly useful though, which is when you need to set users’ default printer, but that is something to be covered in a separate article."

      Text extracted from: https://www.petri.com/deploying-printers-using-group-policy-windows-2008

  11. Leos Marek 2 years ago

    Hi Mike,

    reading this on phone so maybe I missed something, but how about drivers? 
    I have issues with this printer deployment due to missing driver in clean Win 10 installation.

    how to deal with that automatically?

    thks

  12. Jason 2 years ago

    Hi Mike,

    Thanks for your share. I update GPO and restart PC, but I can not find the shared printer.

    And the GPO is word in the computer. Do you know why?

    • Leos Marek 2 years ago

      You can check your Group Policy Operational log via Event Viewer for GPO errors. If the GPO is correctly applied to the computer, the first guess would be a missing driver.

  13. Jason 2 years ago

    Hello Mike,

    I need install the driver of the printer in computer firstly, then even I delete the printer , after restart computer the printer will appeared. 

  14. TIZIANO 1 year ago

    Sorry if the Ad domain it is off-line, network printer work?

    I mean to printer tcp ip deployed  by gpp.

  15. Author
    Mike Kanakos 1 year ago

    Hi Tiziao,

    Group Policy handles getting the printer to appear on your machine. Once that occurs, GPO is not involved in printing anymore except for refreshing the printer on your machine.

    Printing works directly between client (computer) and print queue or client (computer) and Printer (direct IP printing) depending on your config. 

  16. TIZIANO 1 year ago

    on my Ad I used the printer deployment application, maybe this is the reason why if the domain server is offline the printers don't work?

    • Author
      Mike Kanakos 1 year ago

      I don't think I quite understand your setup, so more info is needed but ultimately your issue may be past the scope of this forum. 

      • If you have your printers setup to use print queues from network servers, then the printers are not available to print if the print queues are not online. 
      • If you are saying that your DC is down, well…. that's a bigger problem.

      Otherwise, the conversation between client and printer should not be reliant on the GPO settings after the printer is configured via GPO. 
       

      • TIZIANO 1 year ago

        Hi Mike please can you explane me how i can deploy to my domain user with all rights to allow all users to change printer settings?

         

        please help me…

      • TIZIANO 1 year ago

        Hello , How can I give all users rights to allow all users to change printer settings?

  17. Olivier 1 year ago

    Hi @Tiziano,

    It's obvious, just look in the GUI the printer  property (Security Tab)

    My Advice : DON'T DO THIS unless you’re desperately looking for having additional problems

    You can set a partial delegation, setting Manage documents, to a specific group, never all users,  but never, no never, set a full delegation, using Manage Printers, and more to all users.

    If you can't understand why not to do this … IT is a not a job for you, something missing probably located between the 2 ears.

    Sorry, for my poor english, it's not my mother tongue.

  18. TIZIANO 1 year ago

    on GPP I have already on security tab all permission to everyone and domain users, but al users they don't have the same thing, I can't understand why!

     

  19. Olivier 1 year ago

    https://4sysops.com/archives/understanding-group-policy-order/

    GPP = Local.

    I repeat my advice, but feel free to do what you want even it seems that you haven't evaluate.uderstand the risks.

    Take your own responsability to apply "Full Delegation" to all users.

     

  20. Jason 11 months ago

    What should be done with existing printers?  Such as currently all printers are installed locally and individually.  Will the update just update the existing printers on the user pc?

     

    Great article and thank you.

  21. Matt Reddick 9 months ago

    The drivers install manually fine. I made a gpo (using gpp\user config) and it is applying but not installing the drivers. The PrintSerice\Admin event is this:
    869, adding printer driver canon generic failed error code 0xBCB … driver has no valid catalog.

    The driver is Packaged. The guid is added to the gpo. I enabled loopback (necessary? this gpp uses both Computer and User)
    What else could I check?

  22. Grumpyitis 7 months ago

    Great article, and I would imagine more relevant than ever with the recent change to Point and Print thanks to Print Nightmare.

    My own company has been using traditional print servers\queues and mapping via script, which obviously is no longer working well, if at all, and we’re investigating transitioning to a GPO model.

    We have roughly 300 locations, and personnel travel between locations to work, so user based printing policy really wouldn’t work well. Our AD structure does not currently have every location in it’s own OU since all the locations require the same access or restrictions, or have until this point. Is there any way to be able to include some sort of logic to say “If the PC is here (each location is identified in the PC name/id) then install these printers”?

    • Chris 7 months ago

      > Is there any way to be able to include some sort of logic to say “If the PC is here (each location is identified in the PC name/id)

      Add your printer under: User Config > Preferences > Control Panel Settings > Printers

      In the printer’s Properties, pick Common tab > Item-level targeting.
      In the Targeting Editor dialog, pick New item > Computer name.
      In Computer name field, enter Location*

      Example:
      If the computername is Hawaii-PC1, enter Hawaii-*

    • NVIT 7 months ago

      > Is there any way to be able to include some sort of logic to say “If the PC is here (each location is identified in the PC name/id) then install these printers”?

      In the group policy preference printer item, Common > Item-Level Target > New item >Computer name

      For Computer name value, enter Location*

      For example, if a typical computer name is Hawaii-PC1, enter Hawaii-*

  23. Sundar G 2 months ago

    Oh great! I have been looking for this for a long time and finally I got it through you blog. I was using many GPOs to deploy printers. You saved me. Thanks a lot

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account