====== Sharing Network Printers Using Group Policy Preferences ======

See also **[[networking:windows:printer_shared|Shared Network Printers]]**

https://deployhappiness.com/deploying-printers-with-group-policy-preferences/

https://www.simple-talk.com/sysadmin/general/managing-printers-with-group-policy,-powershell,-and-print-management/

**GPP Best Practices**: https://deployhappiness.com/best-practices-for-group-policy-printer-preferences/

**HP Universal Printer Drivers**: http://h20331.www2.hp.com/Hpsub/cache/344305-0-0-225-121.html

===== Printer Sharing Overview =====

  * Install Windows **Print and Document Services** server role 
    * Usually on a domain controller and/or file server
  * **Disable Client Side Rendering** (CSR) for all shared printers
    * Keeps RDS server from processing all the print data
  * Use **universal printer drivers** where possible
  * Use **Winprint print processor** for all shared printers
  * Use **Group Policy Preference** (GPP) to push printers and set default
    * Filter by user groups
    * Create a GPP and user group for each printer that will be someone's default printer
    * Each GPP will attach all desired printers for members of the user group
  * Use a **Delete all shared printers** preference as first step in GPP

===== GPP Overview =====

  * Create a **Computer** or **User** policy (we generally use **User** for connecting to network printers)
  * Start with a **Delete All** action
  * Add **all printers** the user should have
  * Set one as the **Default Printer**
  * Use **Update** (CRUD)
    * ''Update'' will change the Default Printer every login
    * ''Create'' will only set the Default Printer at creation time 
  * **Create a policy** for each printer **that will be someone's default printer**
  * **Filter** by a user group
    * Create a **new user group** for each printer that will be someone's default printer
    * **Add users** to the group which will determine their default printer
    * Make sure users are **not in multiple 'Printer' groups**
    * **Add** ''Domain Computers'' **group** with ''Read'' permissions to the **Delegations tab**
    * The **Computer account** must have ''Read'' permissions to the GPO even though the GPO is **linked to a User container**

<note important>Keep in mind that if you are going to **configure Internet Options**, **set a default Printer**, or **edit the Start Menu**, the GPO will need to be **linked to a user OU** or a computer OU with Loopback enabled.</note>

<note>A recent [[https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/|Windows security update]] has changed how group policies are processed.  Prior to the update, policies were processed in the user context.  Now, policies are processed in the computer context.  This is why we now **add the group** ''Domain Computers'' **to the Delegations tab** with Read permissions to the GPO.</note>

===== Install and Share Printer =====

:!: Do **not** ''Deploy'' printers using Print Management (printmanagement.msc) as that uses Group Policy instead of **Group Policy Preferences** to push out the printers.

Install and share the printer using Print Management (printmanagement.msc).

Add all necessary drivers (x86 and x64).  The different drivers for the same printer must be the same version (name) exactly.

===== Create a User Group =====

Using Active Directory Users and Computers (dsa.msc), add a group like ''Printer Printername''.

Add users to the group whose default printer will be ''Printername''.  Make sure users are not members of any other similar 'Printer' groups.

===== Create a Group Policy Preference =====

{{ :networking:windows:gpp_printer_1.png?750 |Group Policy Preference for Shared Printers}}

:!: You can also copy and edit an existing printer GPP if you have one.

Using Group Policy Management (''gpmc.msc''), add a Group Policy Preference:

  - **Run** ''gpmc.msc''
    * Expand **Forest -> Domains -> yourdomain.local**
  - On your desired AD container, right-click -> **Create a GPO in this domain and link it here**
    * Name it ''Printers - NewPrinterName''
  - **Select** the new GPP
    * **Change** the **Security Filtering** to the new user group created above
  - **Select** the **Delegations** tab
    * **Add** the ''Domain Computers'' group with ''Read'' permissions
  - **Edit** the new GPP
    * Right-click -> Edit
    * Expand **User Configuration -> Preferences -> Control Panel Settings -> Printers**
  - **Add** a **Delete** action
    * Select **Delete all shared printer connections**
    * Must be the first action
  - **Add** an **Update** action
    * Select the appropriate **shared printer** that will be the default printer for group members
    * Select **Set this printer as the default printer**
  - Add another **Update** action **for each shared printer** for group members
    * Do **not** select any other printer as default

===== Troubleshooting =====

**GPP Not Applying**: https://deployhappiness.com/group-policy-preferences-not-applying/

https://deployhappiness.com/series/group-policy-troubleshooting/

https://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx

==== PowerShell ====

This command lists printers with problems:

<file>
Get-Printer –ComputerName PrintServer | Where PrinterStatus -ne Normal | select Name,PrinterStatus,Portname | Out-GridView
</file>

Set all printers to use WinPrint print processor:

<file>
Get-Printer –ComputerName PrintServer | Where PrintProcessor -ne "WinPrint" | Set-Printer –ComputerName PrintServer –PrintProcessor WinPrint
</file>

==== Event ID 4098 ====

**Event Viewer -> Windows Logs -> Application**

Windows 7?

**Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> Group Policy**

==== Group Policy Updates ====
 
  - Run ''gpupdate /force'' on the Domain Controller
  - Run ''gpupdate /force'' on the RDS server
  - Log the test user out
  - Log the test user back in and printers should appear in Devices and Printers (''control printers'')