Latest posts by Mike Kanakos (see all)
- Goverlan: An on-premises remote support software for IT Management - Tue, Jul 2 2019
- Restore Group Policy with PowerShell - Mon, Jun 24 2019
- SolarWinds Permissions Analyzer: View assigned permissions at a glance - Mon, Apr 15 2019
There are a few prerequisites for this method of deployment to work, but the requirements are ridiculously easy to meet. First off, this method of deployment is for network printers or shared printers.
Any printers installed locally on a client PC and not shared are not an option for deployment via Group Policy Objects (GPOs). Also, your clients need to be running Windows 7 or above, and last but not least, you need an Active Directory (AD) installation that can run Group Policy Preferences (GPPs), introduced with Server 2008. Also for this article, I'll assume you are already comfortable setting up a network printer and creating a printer share and have already done so.
We'll be using GPPs to configure and control the printer deployment options. If you've never used GPPs, you're in for a treat. It's one of the best features Microsoft has given admins for really getting creative with Group Policy deployment criteria.
Computer vs. user deployment ^
The image above shows that GPPs live inside a GPO. There are separate preferences sections for the Computer Configuration and the User Configuration. Both sections have many of the same options, but there are differences. I highlighted the Printers section in each GPP. So why two sections? How do I know which one to use?
Group Policy can deploy settings to computers or users. The same is true for GPPs. For printing, you can choose to deploy a printer to a computer or by individuals and groups; the difference comes down to how you want to manage your printers.
Deploying a printer via GPPs to a computer will install it for all users that log in to a client computer and only on that computer. Conversely, a deploying a printer via GPPs to a user will only install it into the profile of the user you specify. However, installing printers per user will install them everywhere that user logs in.
You should install a printer reserved for the executives via the User Configuration; manage a printer needed for all users of a computer via the Computer Configuration. Here's the interesting part though—you could deploy the same printer using both methods if you needed to, but it may get a little challenging trying to troubleshoot issues. So I don't recommend you do this.
Printer configuration ^
Getting started deploying printers with GPPs is a very straightforward task. The first thing we need is a Group Policy to work with. I expect you understand how to link a GPO to an organizational unit (OU) and target the GPO correctly. From there, you need to decide if you want to deploy printers to users or computers. Most of the printers in my network are deployed to groups of users rather than to computers regardless of who is logged in. For this scenario, I would use the User Configuration section of the GPO.
Adding a printer to deploy is a wizard-driven process. You'll add one entry for each printer you wish to deploy. Since I want to deploy to users, I open my printer deployment GPO and drill down to the preferences section of the User Configuration. Then I right-click on the Printers option in the left-hand side of the window. There are three choices for deployment: Shared Printer, TCP/IP Printer, and Local Printer. I've set up my printers to use shared names, so I will select the Shared Printer option.
In the dialog box that opens, you'll configure all the options for the printer. There are two tabs of configuration options. First, we'll work on the General tab, which has three fields to configure.
There are there pieces of information needed to add a printer to the GPO: printer path, printer update action, and who will receive the printer installation. Let's walk through each one.
- Printer path: This is the shared path of the printer, and you'll add the info to the Share path entry of the dialog box.
- Action: This field controls what will happen when the GPO runs on the client PC. There are four options here: Create, Replace, Update, and Delete.
- Create and Delete do exactly as you would expect. Selecting one of these options tells the GPO to create the printer if it isn't already installed or delete the printer if installed previously.
- Update causes the GPO to update any printer info since the last time the GPO ran on this machine.
- Replace will cause the printer to "replace" the installed shared printer every time the GPO runs. Let me explain further.
For printer installs, Create, Update, and Replace are the logical options, but what's the difference between those choices? The Create option will install a printer once and then ignore any updates on subsequent GPO refreshes. Update will install a printer if it is missing (the same as Create) but also update any changed information since the last refresh. Lastly, Replace will delete a printer and reinstall it on every GPO refresh.
When would you use the Replace option? Printer migrations!
I use Update for all of my printers. However, if I change the path of the printer from an old server to a new server, Update creates a second printer with the same name but a different path. Replace fixes this by effectively deleting the print queue and reinstalling each time the GPO runs.
This is not a great option for everyday work, but for migrations, Replace is the best option for deleting old printer queues and replacing them with the newer versions. There is an option to set a printer as a default printer, but I usually do not set that value. Instead, I let the end users decide which printer they want to be their default.
Item-level targeting ^
Once you have configured the printer path and the Action, you need to configure who will receive this printer. Item-level targeting describes the selection criteria, and you can fing it on the Common tab.
The common tab has some often-overlooked options I want to bring to your attention. I mentioned item-level targeting, which has its own checkbox and button. We'll need to check the box to enable the option to select who gets the printer. But before we explore this option, I want to point out the checkbox for Run in logged-on user's security context (user policy option). This checkbox is critical for deployment.
GPPs run under the local system account. This box tells the GPO to install the printer as the logged-on user rather than as the system. If you do not check this box, the printer install will fail because the local system account doesn't have privileges to the shared location of the printer path.
This checkbox has burned me many times, so I want to make sure you always remember to think about this option when deploying printers, mapped drives, or shortcuts that point to network locations.
Finally, let's review how you can "target" the printer for a subset of users. I'll start off by saying that last sentence is actually not 100% correct. If you refer to the picture below, you'll notice two choices: Security Group and User. These will probably be how most admins deploy their printers, but they're certainly not the only choices you have.
There are many different options for selection criteria, such as by OU or IP address range. You can get very creative with how you deploy your printers. I'll walk you through deploying to a group of users.
Selecting the Security Group option presents me with a second dialog box that lets me enter a group name. This is standard AD lookup stuff and probably looks familiar.
Once you have selected a valid security group, click OK twice, and the dialog box disappears. At this point, you have configured the printer for the deployment. I will mention that there are other options in the Targeting Editor window for making really complex selections, but I'll leave that for you to explore on your own.
You can configure hundreds of printers to deploy from one single GPO if you prefer. This is all because of the granular control you can apply to each printer via GPPs. When you configure a few more printers, your GPP panel will look like the image below.
I have walked you through the most important options you need to configure to deploy a printer successfully to a group using GPPs. These options are super powerful, and I encourage you to explore the options to see how they can help you configure client PCs and servers in ways you may have never considered. If you have any follow-up questions about how to deploy printers, please leave a comment below. Thanks for reading, and I hope this becomes a useful guide you can refer back to any time you need a refresher on printer deployment options.