Managing Printers Using Group Policy (Part 2)

If you missed Part 1 please click here to read Managing Printers Using Group Policy (Part 1).

Machine Policies for Printers (Continued)

We’ve been looking at the machine policies used for managing shared printers on an Active Directory-based network (see Figure 1) and so far have examined policies relating to publishing, pruning, and searching for printers. Let’s look at the remaining machine policies and afterward move on to user policies.

Figure 1: Machine policies for managing printers


The remaining four machine policies we haven’t covered so far deal with several different matters, so let’s look at each of them separately.

Web-based printing When this policy is disabled, shared printers are not published on the web. What this means is that:

  • Shared printers cannot accept incoming print jobs from clients who have submitted these jobs using HTTP.
  • Shared printers cannot be remotely managed or have their properties viewed using a web browser.

Of course, none of this is possible anyway unless you’ve installed IIS together with its Internet Printing component on a server in your network (see article 313058 in the Microsoft Knowledge Base for more information about setting up Internet printing on your network). If you enable this policy or leave it not configured (and IIS with Internet Printing is installed, then you can manage printers from a web browser (Figure 2) and users can print to printers over the Internet. Note however that this policy only applies to Windows XP and Windows Server, and not Windows 2000 machines.

Figure 2: Managing printers using a web browser

Custom Support URL in Printers folder’s left pane To help users easily find information that can help them find and use printers in your enterprise and know what steps to take when printing problems arise, you can add a hyperlink to the Printers folder on their machines that can take them to a special Support website you’ve created that guides them in such matters.

Printer browsing On an Active Directory-based network, the Browser service is an unnecessary anachronism as is NetBIOS and WINS since the directory itself (together with DNS) can be used to locate printers and other items on the network. So if you have no legacy (Windows NT/9x) clients on your network then you can set this policy to disabled to prevent the print subsystem on print servers from announcing via the Browser service that printers are available. On the other hand, you can simply leave this policy not configured and such Browser announcements will be suppressed unless Active Directory should itself go down for some reason.

Disallow installation of printers using kernel-mode printer drivers By default Windows XP allows kernel-mode printer drivers to be installed, but Windows Server 2003 doesn’t. Kernel-mode drivers can crash the system and cause STOP messages (blue screens) if they are poorly written, so by enabling this policy you can prevent such printer drivers from being installed on your XP desktops. Note that this policy only applies to Windows XP and Windows Server 2003, and not to Windows 2000 machines.

Allow Print Spooler to accept client connections Disabling this policy will prevent users from sharing printers on machines to which this policy is applied. It has no effect however on printers that have already been shared on the machine. However, disabling this policy will also prevent the Spooler service on affected machines from receiving any incoming client connections to print. Note that for this policy to take effect the Spooler service must be restarted (or the machine rebooted). Also note that this policy only applies to Windows Server 2003, and not to Windows 2000 or Windows XP machines.

User Policies

User policies are Group Policy settings that are applied when users log on to their computers, and are usually used to govern the behavior of desktop computers whose Computer accounts reside in a domain, OU or site. There are fewer user policies for managing printers than there are machine policies, so let’s just look at them one at a time (see Figure 3). Most of these policies have to do with locking down printers i.e. preventing users from making a mess of their printer connections. The only problem with these lockdown policies is that there are ways to circumvent them if the user is knowledgeable enough, but for the average user they usually suffice to hold the fort.

Figure 3: User policies for managing printers

The policy names used here are those for Windows XP and Windows Server 2003. Some policies may be named differently on Windows 2000.

Prevent addition of printers If this policy is enabled, the Add Printers icon is missing from the Printers folder on computers affected by this policy (see Figure 4). It also prevents users from adding a printer by dragging it from a network share into the Printers folder.

Figure 4: The Add Printer icon is missing from the Printers folder

Prevent deletion of printers If this policy is enabled, users cannot delete printers from the Printers folder on their computers. This includes both local printers (connections to print devices connected to their computers through USB or LPT ports) and network printers (connections to shared printers on the network).

Browse the network to find printers Setting this policy to disabled prevents users from browsing the network to find shared printers when they are running the Add Printer Wizard to add a new printer to their machine. It doesn’t prevent them from typing the full UNC pathname to a shared printer though, so they can still add network printers if they know the explicit path to the printer they want to add.

Default Active Directory search path when searching for printers When users search Active Directory for printers, their search has to start somewhere. By default the starting point for such searches is Entire Directory, which can be daunting for some users if you have a complicated forest with many domains. To make things easier for them you can use this policy to change the starting point for their search to some other part of the directory such as the local domain or OU where the user’s account resides.

Browse a common web site to find printers To help users find printers in a large enterprise, you can use this policy setting to enable users to click a “Browse the Intranet” link when they use the Add Printers Wizard to add a new printer to their machine (see Figure 5). This link then redirects the user to a web page you have set up that helps them find the printer they need and connect to it.

Figure 5: The “Browse the Intranet” link redirects users to a web page where they can find the printers they need

Point and Print Restrictions If this policy is disabled then ordinary users can connect to shared printers using the point and print method. This is done by using Windows Explorer or My Network Places to open the Printers folder on the print server and then right-clicking on the shared printer you want to install and selecting Connect. The printer drivers you need will be automatically downloaded to your machine and a printer connection will be created to the network printer. If instead you enable this policy, you can restrict users so they can only use point and print to connect to printers in the forest in which their user account resides (or to a specific list of print servers in this forest). If the policy is not configured, users can only use point and print to connect to printers in their own forest. If it is disabled, they can connect to any shared printers anywhere. Note that this policy only applies to Windows Server 2003 and Windows XP Service Pack 1 or later machines. For more information on this policy see article 319939 in the Knowledge Base.

AutoProf Policy Maker Professional 2.0

One thing Group Policy doesn’t let you do is to assign printer connections to client machines simply by configuring a policy setting. This is unfortunate, and for most admins the workaround is writing a logon script to create the printers needed on their desktop machines. This logon script can then be assigned using Group Policy and when users log on to their machines they have the printers they need in their Printers folders. For more information on assigning logon scripts see my earlier article Using Logon Scripts in Pure and Mixed Active Directory Environments on this site.

If you want to create printers using a logon script however, a traditional batch file is not your best approach. A better approach is to use VBScript, which gives you much more flexibility for creating conditions based on group membership and so on. But to do this you need to know how to write scripts using VBScript and you need the time to do so.

AutoProf Policy Maker Professional 2.0 from AutoProf makes this unnecessary. This terrific tool extends Group Policy to let you easily do a ton of things you can’t normally do, and one of these things is creating printer connections on client machines (Figure 6):

Figure 6: Using AutoProf Policy Maker Professional 2.0 to automatically create printer connections on target machines using Group Policy

Once you’ve tried AutoProf Policy Maker Professional 2.0, you’ll wonder how you ever lived without it as an administrator who uses Group Policy to manage his or her network. You can find more information about AutoProf Policy Maker Professional 2.0 in my article on WindowsDevCenter on the O’Reilly Network.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top