Deploying printers via Group Policy lets you manage your printers from a single console and also gives you granular control over which printers to deploy to individual client PCs without needing any additional software.

Mike Kanakos

Mike is a Windows IT pro located in the Research Triangle Park area of North Carolina with 13+ years of experience as an admin and 20 years in the field. He specializes in Active Directory, Azure AD, Group Policy, and automation via PowerShell. You can follow Mike's blog at networkadm.in or on Twitter at @MikeKanakos.

Prerequisites ^

There are a few prerequisites for this method of deployment to work, but the requirements are ridiculously easy to meet. First off, this method of deployment is for network printers or shared printers.

Any printers installed locally on a client PC and not shared are not an option for deployment via Group Policy Objects (GPOs). Also, your clients need to be running Windows 7 or above, and last but not least, you need an Active Directory (AD) installation that can run Group Policy Preferences (GPPs), introduced with Server 2008. Also for this article, I'll assume you are already comfortable setting up a network printer and creating a printer share and have already done so.

We'll be using GPPs to configure and control the printer deployment options. If you've never used GPPs, you're in for a treat. It's one of the best features Microsoft has given admins for really getting creative with Group Policy deployment criteria.

Computer vs. user deployment ^

Group Policy Preferences options

Group Policy Preferences options

The image above shows that GPPs live inside a GPO. There are separate preferences sections for the Computer Configuration and the User Configuration. Both sections have many of the same options, but there are differences. I highlighted the Printers section in each GPP. So why two sections? How do I know which one to use?

Group Policy can deploy settings to computers or users. The same is true for GPPs. For printing, you can choose to deploy a printer to a computer or by individuals and groups; the difference comes down to how you want to manage your printers.

Deploying a printer via GPPs to a computer will install it for all users that log in to a client computer and only on that computer. Conversely, a deploying a printer via GPPs to a user will only install it into the profile of the user you specify. However, installing printers per user will install them everywhere that user logs in.

You should install a printer reserved for the executives via the User Configuration; manage a printer needed for all users of a computer via the Computer Configuration. Here's the interesting part though—you could deploy the same printer using both methods if you needed to, but it may get a little challenging trying to troubleshoot issues. So I don't recommend you do this.

Printer configuration ^

Getting started deploying printers with GPPs is a very straightforward task. The first thing we need is a Group Policy to work with. I expect you understand how to link a GPO to an organizational unit (OU) and target the GPO correctly. From there, you need to decide if you want to deploy printers to users or computers. Most of the printers in my network are deployed to groups of users rather than to computers regardless of who is logged in. For this scenario, I would use the User Configuration section of the GPO.

Adding a printer to deploy is a wizard-driven process. You'll add one entry for each printer you wish to deploy. Since I want to deploy to users, I open my printer deployment GPO and drill down to the preferences section of the User Configuration. Then I right-click on the Printers option in the left-hand side of the window. There are three choices for deployment: Shared Printer, TCP/IP Printer, and Local Printer. I've set up my printers to use shared names, so I will select the Shared Printer option.

Adding a printer via Group Policy Preferences

Adding a printer via Group Policy Preferences

In the dialog box that opens, you'll configure all the options for the printer. There are two tabs of configuration options. First, we'll work on the General tab, which has three fields to configure.

New shared printer properties

New shared printer properties

There are there pieces of information needed to add a printer to the GPO: printer path, printer update action, and who will receive the printer installation. Let's walk through each one.

  • Printer path: This is the shared path of the printer, and you'll add the info to the Share path entry of the dialog box.
  • Action: This field controls what will happen when the GPO runs on the client PC. There are four options here: Create, Replace, Update, and Delete.
    • Create and Delete do exactly as you would expect. Selecting one of these options tells the GPO to create the printer if it isn't already installed or delete the printer if installed previously.
    • Update causes the GPO to update any printer info since the last time the GPO ran on this machine.
    • Replace will cause the printer to "replace" the installed shared printer every time the GPO runs. Let me explain further.

For printer installs, Create, Update, and Replace are the logical options, but what's the difference between those choices? The Create option will install a printer once and then ignore any updates on subsequent GPO refreshes. Update will install a printer if it is missing (the same as Create) but also update any changed information since the last refresh. Lastly, Replace will delete a printer and reinstall it on every GPO refresh.

When would you use the Replace option? Printer migrations!

I use Update for all of my printers. However, if I change the path of the printer from an old server to a new server, Update creates a second printer with the same name but a different path. Replace fixes this by effectively deleting the print queue and reinstalling each time the GPO runs.

This is not a great option for everyday work, but for migrations, Replace is the best option for deleting old printer queues and replacing them with the newer versions. There is an option to set a printer as a default printer, but I usually do not set that value. Instead, I let the end users decide which printer they want to be their default.

Item-level targeting ^

Once you have configured the printer path and the Action, you need to configure who will receive this printer. Item-level targeting describes the selection criteria, and you can fing it on the Common tab.

Common tab and item level targeting options

Common tab and item level targeting options

The common tab has some often-overlooked options I want to bring to your attention. I mentioned item-level targeting, which has its own checkbox and button. We'll need to check the box to enable the option to select who gets the printer. But before we explore this option, I want to point out the checkbox for Run in logged-on user's security context (user policy option). This checkbox is critical for deployment.

GPPs run under the local system account. This box tells the GPO to install the printer as the logged-on user rather than as the system. If you do not check this box, the printer install will fail because the local system account doesn't have privileges to the shared location of the printer path.

This checkbox has burned me many times, so I want to make sure you always remember to think about this option when deploying printers, mapped drives, or shortcuts that point to network locations.

Finally, let's review how you can "target" the printer for a subset of users. I'll start off by saying that last sentence is actually not 100% correct. If you refer to the picture below, you'll notice two choices: Security Group and User. These will probably be how most admins deploy their printers, but they're certainly not the only choices you have.

There are many different options for selection criteria, such as by OU or IP address range. You can get very creative with how you deploy your printers. I'll walk you through deploying to a group of users.

Item level targeting options

Item level targeting options

Selecting the Security Group option  presents me with a second dialog box that lets me enter a group name. This is standard AD lookup stuff and probably looks familiar.

Deploying a printer to a security group

Deploying a printer to a security group

Once you have selected a valid security group, click OK twice, and the dialog box disappears. At this point, you have configured the printer for the deployment. I will mention that there are other options in the Targeting Editor window for making really complex selections, but I'll leave that for you to explore on your own.

Security group selection

Security group selection

You can configure hundreds of printers to deploy from one single GPO if you prefer. This is all because of the granular control you can apply to each printer via GPPs. When you configure a few more printers, your GPP panel will look like the image below.

List of deployed printers

List of deployed printers

Conclusion ^

I have walked you through the most important options you need to configure to deploy a printer successfully to a group using GPPs. These options are super powerful, and I encourage you to explore the options to see how they can help you configure client PCs and servers in ways you may have never considered. If you have any follow-up questions about how to deploy printers, please leave a comment below. Thanks for reading, and I hope this becomes a useful guide you can refer back to any time you need a refresher on printer deployment options.

Are you an IT pro? Apply for membership!

2+
Share
7 Comments
  1. Melvin Backus 8 months ago

    Good walk through. I've been using this for a while. I occasionally run into issues with drivers not being installed however. Any tips on how to deal with that?

    0

    • Author
      Mike Kanakos 8 months ago

      Hi Melvin,

      Drivers always seem to be a vendor issue for me. Unfortunately, the best solution I know of has been to find a better driver from the vendor, if possible.

      Also, keep in mind you need to install printers via GPO under the user context; that can definitely make drivers fail. Lastly, I didn't mention in this article, but you could also make sure you have "point and print restrictions" disabled via GPO. PnP restrictions need to be relaxed when you have drivers to install and the vendor hasnt updated their installer to follow modern guidelines. You can read about how to do that here: https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/ .

      Also, one of the writers on this site, Joseph Moody has a website and he has written many great articles on printer deployments. You should check his site out as well at:
      https://deployhappiness.com/

       

      0

  2. James Gullish 8 months ago

    Great article. For issues where Package-aware print drivers are needed for group policy to deploy the printer when driver is not already on the systems. Brother drivers for example were not meeting that requirement.

    Checking Printers for PackageAware value which will require being an odd number higher by 1 if its currently an even number for a printer.

    Powershell ->

    get-childitem "HKLM:\system\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers" -recurse | get-itemproperty -Name PrinterDriverAttributes | ft PSChildName,PrinterDriverAttributes

    If you find an even number for PrinterDriverAttributes, navigate

    regedit->HKLM:\system\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\That Driver Name

    Then manually increase the PrinterDriverAttributes of affected printer by one. Ex. 4 becomes 5.

    Then on PC, reboot and resign on as limited user for GP to obtain printer driver and install.

    I cant remember offhand if the print server sharing the printer object needed reboot too.

    Another thing is if Group Policy is mapping a local TCPIP printer on a device, make sure server share gives everyone group print access else obscure application warning 4098 for Group Policy Printers – Group Policy Object did not apply because it failed with error code ‘0x800700005 Access is denied.’

    1+

    • Author
      Mike Kanakos 8 months ago

      Thanks for sharing that great info, James!

      When reading your comments, I do vaguely remember the bits you mentioned about incrementing up by one. I haven't had to personally to do that in a while so that was a reminder to migrations past. Printer drivers and the deployment can definitely be a pain. You definitely are giving some useful technical information for those problematic situations!

      For people reading this who MAY still have the chance to influence a purchase, this is why you do bake-offs and scorecards. You want to buy products from vendors who make quality products with great support, especially with printers that you may have to support for many years. The best way to do that is to test BEFORE purchase. Test for yourself with a demo product, don't take the sales rep's word!  You won't be on support calls with the sales rep once the equipment is purchased!

      Printer features are important, but also look at how often vendors release updates (like new drivers and firmware) as well as how well doe the drivers work in automation scenarios like the one outlined in this article.

      1+

  3. Nick Casagrande 4 weeks ago

    great article, thank you!  which option should be used for new users for the time first so it remembers which one they chose as the default the next time they login?  

    0

    • Author
      Mike Kanakos 4 weeks ago

      Hi Nick,

      Thank you for the kinds words! Glad my article is helpful. 

      You can and should use "Update". Whatever the end-user selects as their default printer will remain after a group policy update. 

      1+

  4. Nick Casagrande 4 weeks ago

    So let me get this straight.  i setup the gpp with a shared printer (update), user logs in and gets 5 printers from the policy, changes his default to p3, logs off, logs back in, the default will then be set to p3 on the next logon?

    ps - thank you for the help.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account