Installing a Domain Print Server (Part 2)

This article is a continuation of Installing a Domain Print Server (Part 1).

Before diving into the deployment options for network printers on our domain, let’s understand that normal users who are not local administrators on their computers may not be able to install our print drivers on their own. To get around this, we’ll deploy a Group Policy Object to configure Point and Print Restrictions for our domain computers.

Configure Point and Print Restrictions via GPO

To start, I’ve launched the Group Policy Management console on my domain controller, and right-clicked on Group Policy Objects. Select New.

Provide a descriptive name in the box that pops up. I’ve named mine Configure Point and Print Restrictions. Right-click on your new GPO and select Edit…

In the Group Policy editor window, browse to Computer Configuration, Policies, Administrative Templates, and click Printers. In the list of available settings locate Point and Print Restrictions. Right-click on it and select Edit.

Enable the policy. If you wish to restrict your users to only add printers from authorized print servers, check the box for Users can only point and print to these servers, then add the fully qualified domain name for your approved print servers. Configure the Security Prompts section in the When installing drivers for a new connection box by selecting Do not show warning or elevation prompt, and in the When updating drivers for an existing connection box by selecting Show warning only. Click OK to save your edits.

Next, while still in our new GPO, browse to Computer Configuration, Policies, Administrative Templates, System, and click Driver Installation. In the list of available settings locate Allow non-administrators to install drivers for these device setup classes. Right-click on it and select Edit. Enable the policy and click Show…

Then, paste the following string into the Value column: {4D36E979-E325-11CE-BFC1-08002BE10318}

Click OK to save the value, and OK again to save your edits to this setting. This has added the printers setup class to the list of device drivers that regular users are allowed to install.

Lastly, link the new GPO to your computers OU. Now that we’ve granted the required permissions for installing drivers, let’s move on to deployment.

Configure Network Printer Deployment Options

There are two primary methods of deploying printers to your workstations via Active Directory; Deployed Printers and Group Policy Preferences.

Deployed Printers is the legacy capability which may fit the requirement in very small environments, but its limited feature set makes it a poor choice in most cases. For example, it isn’t possible to set a default printer using this feature. It is, however, extremely simple to setup.

Configure an Active Directory “Deployed Printer”

On my domain controller I’ve opened Group Policy Management and created a new GPO, linked to my Computers OU, called Deploy Printer.

In the Deploy Printer GPO I’ve configured my printer under Computer Configuration, Policies, Windows Settings, Deployed Printers. To do that, just right-click on Deployed Printers and choose Deploy Printer. Then, type the path to the shared printer (SMB-INF1\Lexmark E120n in my case), click the Add>> button, then click OK. Close the GPO and that’s it. The configured printer will be deployed to all of the computers in the linked OU. There’s certainly more you could do with Deployed Printers, and you could probably get fancy with delegation on the new GPO to target the printer deployment a bit, but there’s really no reason to. Microsoft recommends using Group Policy Preferences to deploy printers instead, so let’s look at that.

Configure Shared Printers with Group Policy Preferences

We’ve come this far and now we have another decision to make, because Group Policy Preferences (GPP) can be set for either the User or the Computer. In larger environments it’s recommended to use a Computer policy because it processes during computer startup instead of during user logon, reducing logon time/improving user experience. If you have a lot of printers, the delay during logon can be very noticeable. One notable downside of using a computer GPP in this instance is that it’s not straightforward to set a user’s default printer. It may also be more difficult to use item-level targeting depending on how you have your computer objects organized (assuming that you have them organized).

Let’s take a look at deploying shared printer with a user GPP and some basic item-level targeting configured. To start, I’ll create a new GPO called Deploy Printers, linked to my Users OU.

Edit the settings for the new GPO and browse to User Configuration, Preferences, Control Panel Settings, Printers. Right-click on Printers and select New > Shared Printer.

In the New Shared Printer Properties box, I’m going to leave the default action of Update*. In the Share path: box, type the path to the share name of your network printer or click the ellipsis button to find it in the directory.

Click the box to Set this printer as the default printer… if desired. That’s it for the configuration on the General tab.

*One caveat to using the Update action instead of Create along with the Set this printer as the default printer option is that the user’s default printer will change back to this printer every time group policy refreshes on the machine. If the user has changed their default printer for some reason, this could be annoying. Consider using Create if you think this may be an issue in your environment.

Click the Common tab next and have a look at the available options. Select the options to Run in logged-on user’s security context, and Item-level targeting. Note that item-level targeting isn’t necessary in all scenarios. If you leave it unchecked the GPO will apply to every user account within the OU that you link the GPO to. This may be perfectly reasonable in many scenarios. Since I want to configure targeting for this demo, I’ll check the box and click the Targeting… button.

Within the Targeting Editor click the New Item drop-down list. If you’re unfamiliar with item-level targeting, you’ll notice there are a large number of parameters that you can choose to target a group policy preference against. For this demo, let’s choose Security Group. The editor populates the basic filter and asks us to define the security group that we’re going to target.

Since this is a user policy we’ll leave User in group checked, and click the ellipsis button next to the empty Group box. I previously used ADUC to create a new security group called Dept-Finance, and I’ve selected that here.

Now I can click OK to close the Targeting Editor and OK again to save the New Shared Printer settings. With the printer configured, this GPO is ready to go. The yellow triangle next to the printer name simply indicates that this is an Update action. If you selected Create instead, you'll see a green triangle.

Note that you can (and in many cases should) configure all of your printers within this one GPP GPO, using item-level targeting on each preference item to sort out who gets what. Exceptions arise when you have a large number of printers or special circumstances that require multiple GPOs. Personally, in a small environment I like to have a single GPO per site for printer deployment.

To test all of this, I’ve logged in to a different domain computer with a user account that is located within my Users container in ADUC, and is also a member of the Dept-Finance group that I assigned in item-level targeting. If you decided not to use item-level targeting, any user within the OU that your GPO is linked to should receive the printer mapping.

Here I can see that the printer has successfully mapped to my end-user account, and has also set as the default printer as I specified in the GPP.

That concludes this two-part series on basic domain printer deployment.

Installing a Domain Print Server (Part 1)

Building a domain print server is a quick and simple way to provide a small quality of life improvement for both you and your users. Even if you only have one printer in the office, a domain printer server with printers deployed through Active Directory can save you dozens of trips to your users’ desks to manually map a network printer.

I’ll be installing the Print Management components on a new Server 2016 VM in my lab, but this is definitely something that can be co-mingled with other server services if you can’t or don’t want to dedicate a server. You’ll need a couple of things in order to get started:

• A domain-attached Windows Server on which to install the Print Management feature.
• A network-attached printer, accessible by the print server and your users; And drivers for said printer.

Installing the Print Management Feature

I’m going to install the Print Server feature on my VM via PowerShell. This can alternatively be installed through the Add Roles and Features dialog menu, by selecting the Print and Document Services role and then the Print Server feature under role services.

PowerShell:

Done.

Adding a Printer & Drivers

Launch the Print Management console and expand Print Servers to see your local server name listed (mine is SMB-INF1), and expand that. We’re currently concerned with Drivers and Printers.

Print Drivers

Understand that there are a couple of different types of printer drivers. Microsoft introduced Type 4 printer drivers with Server 2012 and Windows 8. When printing to older OSes such as Windows 7, the print server will substitute the Microsoft Enhanced Point and Print Compatibility Driver.

In practice this compatibility driver leads to mixed printing results and I generally try to stick with Type 3 drivers in environments with a large Windows 7 installed base (which should be shrinking). That said, some Type 3 drivers have shown to not handle Windows 10 print jobs particularly well, so it’ll be up to you to test things out and select the best driver for your environment. Luckily, the Print Management console allows you to install multiple drivers and you can switch between them for installed printers with relatively little hassle.

Try to use a Universal Print Driver from your printer’s manufacturer whenever possible. This generally enables one driver to service many different models of printer from the same manufacturer, and cuts down on the number of packages you need to ultimately install on your server. You’ll also have to choose between PCL5, PCL6, and PS (PostScript). Unless you have a reason to select a different option, I recommend PCL5. It’s the most stable with generally the widest compatibility for printing most office documents.

For this lab I’ll be installing my trusty Lexmark E120n laser printer, so I’ve downloaded the Lexmark Universal Print Driver for PCL5 from their website.

Driver Installation

Ideally you do not want to install the actual driver software onto the print server. In most cases the driver package should offer the option to extract only, or you may have to dig the driver files out of the temporary folder after launching the installer.

With the driver files in hand, we can add the printer driver to our server. Within Print Management, right-click on Drivers and choose Add Driver. Then, follow the prompts in the Add Printer Driver Wizard to add the correct driver.

x64 should be appropriate for most environments, I hope. Click Next.

At Printer Driver Selection, click Have Disk.

Browse to the location on your server where you saved the driver files, select the INF file and click Open. Then click OK in the Install From Disk prompt to select the driver.

If you’ve selected the correct INF file, you should see your driver listed in the Printers box.

Click Next, then click Finish to complete the driver installation. You should now see the driver listed with the others in the Print Management Console.

Printer Installation

With the driver installed, we’re ready to install our network printer. Right-click Printers and select Add Printer.

Keep the default selected to add a TCP/IP printer and click Next.

In the Printer Address menu enter the IP address of your network printer, and uncheck the box to auto detect the printer driver. Then click Next.

On the Printer Driver menu select the option to use an existing printer driver, and select the driver that you installed in the previous steps. Then click Next.

Provide a descriptive name for the printer. This is especially important if you will have multiple printers of the same model and/or spread across a large campus. A naming convention like Building-Floor-Room# can be helpful here, if necessary. Since I’m only working with the one printer today, I’ve named it with the make and model. Be sure to update the share name if necessary and check the box to Share this printer. Then click Next, Next again, and Finish.

Check the box to print a test page in order to confirm that the driver you installed is working as expected.

With the printer installed, right click on the printer name in the listing and choose Properties. This is the time to review various print settings for the model you’ve installed and ensure that they are aligned with your organizational standards. I’ve found that some drivers like to turn on things like duplexing, for example, which may not be desireable as a default setting.

Be sure to check out the Sharing tab and check the box to list the printer in the directory. This publishes the printer with Active Directory so client computers can quickly find it via the Devices and Printers wizard.

From a domain client computer, we can see that the printer is listed in AD and available to be installed.

You can also configure typical Windows security permissions on the printer object, if desired. The default setting is to allow the Everyone group permission to print to every printer. This may not be desirable in some cases, such as for a large format printer in the Marketing department or a check printer with expensive MICR toner in the Accounting department. In those cases you can remove the Everyone group and add just the specific AD user groups that should be allowed to print.

And that’s it. The printer is installed on our server and published to AD DS, ready to be discovered and installed by our users. In part two we’ll review the options for deploying our printer automatically across the organization.

Installing a Domain Print Server (Part 2)