Over the years, IT administrators have been plagued with having an easy way to manage printers across their organization. Some of the resources that have been used in the past include.

  • Manually – In a small environment, this tired and true method has been around forever. However as a global solution it does not scale well and when you leave something in a user’s hands, inevitably something will go wrong.
  • Logon Scripts – Logon scripts have existed since the beginning of system administration and have been a great way to accomplish a lot of various tasks. However they are cumbersome to develop and many times do not provide much in the way of logging when things go bad. As you add more granularity to your scripts (segmenting by user groups etc.) the process increases exponentially in complexity.
  • Printer Management – Starting with Windows 2003 R2, Microsoft released the printer management role into Windows. Print Management was a great tool for administrators as it allowed them to manage all their print servers from a central console and also introduced the ability to deploy printers with group policy. The policy was a small step forward as it allowed us to push out printers to people based on the mechanisms allowed to us in group policy. However any fine grained control relied on the ability to filter and scope the group policies. There was also no graceful way to remove the deployed printers.

With the release of Windows 2008 Microsoft provided us with Group Policy Preferences. These add-ons to group policy gave administrators the ability to fill in the gaps on many settings that were not gracefully managed with Standard Group policies and also allowed much more granular targeting of the actions. One of the better additions to that was the ability to add printers via Group Policy Preferences, with one policy; administrators would be able to control printers for large portions of an organization with effective logging as well.

In the following post, we’ll go over how to setup printer deployment using Group Policy Preferences in a way that will keep the administrative overhead down and limit the number of calls into your helpdesk when rolling it out.

This procedure assumes that you already have a working print server in your environment that handles the needs of all of your staff (proper architecture, security restrictions etc.) How to setup a proper working print server may be covered in a different posting. You will also need a machine that is running either Windows 7 or Windows 2008 R2 as it contains the most recent group policies and make your life much easier in the deployment.

Part 1: Preparing your network for automated printer deployment.

With the advent of Windows Vista/7 and UAC, Microsoft provided a mechanism for IT administrators to enhance the security on their desktops while still having a mechanism to provided assistance when needed. It has also provided us the ability to granulize the sections of the OS that we allow end users to access. One of those areas is printer installations. Previously, if the drivers were not already on the workstation, you had to have administrative rights to install the printer. With the advent of UAC we can now allow non-administrators the proper rights to install printers without exposing the rest of the OS.

To setup group policy to allow automatic drivers install we need to perform the following procedure. You can watch the process in the video link below as well.

  1. Log on to a machine with the Group Policy Management Console installed.
  2. Create a new policy in your Domain to hold the policy. Name it something similar to “Workstation Printer Deployment Configuration”
  3. Open up the policy for Editing
  4. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  5. Find the Policy Devices: Prevent Users from Installing Drivers – Select the check box to define this policy and then set it to disabled

  6. Now find the policy Computer Configuration > Policies > Administrative Templates > Printers

  7. Find the policy in there labeled Point and Print Restrictions

  8. Enable the policy and scroll down to Security Prompts.
  9. Change downs to say, do not show warning or elevation prompt. This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login). After that Click OK

  10. Now browse down to user configuration and find the policy User Configuration > Policies > Administrative Templates > Control Panel > Printers

  11. Find the policy for Point and Print Restrictions.
  12. Enable the policy and scroll down to Security Prompts.
  13. Change downs to say, do not show warning or elevation prompt. This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login). After that Click OK
  14. This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login)
  15. In the same window, locate the policy, Prevent Addition of Printers

  16. Change that policy to disabled

  17. Close out of the Policy Editor.
  18. Now we need to place this policy on the domain. You need to apply it to a place that will apply both to all workstations and user objects, in my case the easiest was at the top of the domain root. Your mileage may vary on the location.

The prep work is now done. In the next section we will go over how to use Preferences to deploy the printers.