Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Security Filtering for GPO

14 Sep 2015   #1
EricG1793

Win 7 HP 64; Ubuntu 14.04 64; Win 8.1 Pro 64
 
 
Security Filtering for GPO

Greetings!

I'm trying to introduce deployed printers that are deployed only to specific groups of people. We currently deploy about 50 printers per-machine and it's really causing lag when people to go print, and it's frustrating to dig through the list to find the right one.

We have existing security groups, and these are the steps I've taken:

1. Create 4 new GPOs. 1 for classrooms, 1 for faculty, 1 for staff, 1 for administration. Right now I'm testing with the staff.

2. Edit the GPO, add all desired printers to Computer Configuration -> Policies -> Windows Settings -> Deployed Printers

3. Set Security Filtering of the scope of the GPO to the Staff security group (which FYI consists entirely of departmental security groups, no users)

4. Create a new OU called Print Test, put my machine and the new GPO in it

After gpupdate, no printers arrive.

I've found out that if I leave Authenticated Users in the Security Filtering, I get the printers. However, as soon as I remove Authenticated Users and add the Staff group and gpupdate, the printers go away. Same thing if I add my user account instead of the group.

I've verified that, when the Staff group is the only group in the Security Filtering, in the Advanced Delegation, it does has permission to Read and Apply Policy, just like Authenticated Users does when it's there.

I'm stumped! Any ideas would be appreciated.


My System SpecsSystem Spec
.
14 Sep 2015   #2
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

I know I can't help you on such matters but those that can would surly like to know what operating system/s you are using.

Knowing what environment might also be useful,
50 printers per-machine is a lot. It kind of leaves out home user and small business.
My System SpecsSystem Spec
14 Sep 2015   #3
EricG1793

Win 7 HP 64; Ubuntu 14.04 64; Win 8.1 Pro 64
 
 

Thanks for the pointers! Didn't think to post an OS since this is a Win7 forum. Our machines are Win 7 Pro, domain controller is Server 2012. We are a school with around 1200 users.
My System SpecsSystem Spec
.

14 Sep 2015   #4
GokAy

Windows 7 Ultimate x64 SP1
 
 

I am supposed to know this but has been long time since actually use it, so bear with me:
- you are configuring computer conf but the filtering is users.
- authenticated users as far as I know does include computers
- when you remove authenticated users there is no computers left in the filter to read the GPO
- so try adding the machine to the security filtering instead of users

See Computer Accounts in the Authenticated Users Group | Security content from Windows IT Pro
My System SpecsSystem Spec
14 Sep 2015   #5
EricG1793

Win 7 HP 64; Ubuntu 14.04 64; Win 8.1 Pro 64
 
 

Thanks for the suggestion! I originally tried per-user but switched to per-machine in troubleshooting.

I just went ahead and made a new GPO, printers deployed per-user. Again, if the Security Filtering is Staff, I see no printers; but when I switched to Authenticated Users, it works.

It seems like it must be something with that security group or my own account, but I'm not sure what to look for. The hierarchy is Staff OU -> Staff group -> Technology group -> Me. I also tried doing Domain Admins, which I'm also a member of. Still no dice.

Still, it won't work even if I put my account directly in the Security Filtering! :-\

Could it have something to do with which group(s) are my primary group(s)? We already ran across the issue with Azure AD sync and distribution groups where we have to set Domain Users as the primary group in order for people be included in messages sent to the mail-enabled security groups.
My System SpecsSystem Spec
14 Sep 2015   #6
GokAy

Windows 7 Ultimate x64 SP1
 
 

Quote:
I just went ahead and made a new GPO, printers deployed per-user.
Which setting is this? If it is a computer configuration it won't work with users, you have to assign to specific computers. Computer configuration is loaded before even any user logs on and is not controlled on a user basis. As far as I know' that's why there are 2 types of configurations in GPO.

So instead of trying to apply the GPO to users, add your computer account to your test group.
My System SpecsSystem Spec
15 Sep 2015   #7
EricG1793

Win 7 HP 64; Ubuntu 14.04 64; Win 8.1 Pro 64
 
 

The new GPO was User Configuration -> Policies -> Windows Settings -> Printer Connections. My computer has been in the test OU all along.

I guess I owe it to you guys to go back to the big picture! We want to apply these 4 GPOs, each with different Security Filters according to security group that the desired users are in. All 4 of the GPOs will eventually go in to the OUs "Staff Computers" and "Classroom Computers." The goal is to have printers available to all these computers, but they are restricted to different sets of printers (different GPOs) depending on which user logs in.

In testing, I made a "Print Test" OU and put my computer, plus the GPO(s) being tested, in it. I've tried changing between

User Configuration -> Policies -> Windows Settings -> Printer Connections*
and
Computer Configuration -> Policies -> Windows Settings -> Printer Connections*

and changing the Security Filtering of hte GPO between "Authenticated Users" (which always works), the security group(s) I am a member of, and even my user account itself.

Hope this helps; maybe I'm not going about it the right way in the first place!

* "Printer Connections" seems to be interchangeable with "Deployed Printers." When listing the settings of the GPO, it says Printer Connections, but when editing, the menu tree says Deployed Printers.
My System SpecsSystem Spec
15 Sep 2015   #8
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Clue me in folks. What is a (OU)?
My System SpecsSystem Spec
15 Sep 2015   #9
GokAy

Windows 7 Ultimate x64 SP1
 
 

Organizational Unit for administrational purposes of an Active Directory domain.

https://technet.microsoft.com/en-us/...(v=ws.10).aspx
My System SpecsSystem Spec
Reply

 Security Filtering for GPO




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Gmail Filtering.
Hi Folks, If I remove everything before @ in the 'From' box in my image, will it still function when filter is created to delete it ??
Browsers & Mail
Problem with ActiveX filtering in IE9
I've been finding that in many cases when I'm shopping, the only way I can accomplish that is to open Firefox and use it. Many times when I click the blue circle in the address bar to "turn off ActiveX filtering" it apparently does not turn off. Example: I was shopping for kitchen faucets....
Browsers & Mail
How to get Web Filtering for my Version of Windows 7
Hi, I recently bought a new Dell laptop. I went to add a new standard user (for my kids) and set set up parental controls. To my surprise, this version did not come with web filtering. I went to the Help, and asked "What happened to Parental COntrols Web Filtering and Activity Report?". The...
General Discussion
InPrivate Filtering
In IE8, do people use it? I find it blocks something on every web page I visit so I'm always seeing the exclamation point. And wondering if it is making the web page not display properly. On a few sites I was able to allow some things to make the pages display correct but then it has to be run...
Browsers & Mail
ie9 inprivate filtering not available
Hi I've recently installed Internet Explorer 9. The option to enable inprivate filtering is not present in the safety menu. I've searched in google, and I can't find any news that this feature has been removed, so I assume I've got something wrong with the way ie9 has installed. I've...
Browsers & Mail
InPrivate Filtering (IE8)
Every time I restart the browser the InPrivate Filtering gets disabled even if I had it enabled on the previous session. Is there anyway to fix this? Also if you add a lot of rules to the InPrivate Filtering list will it slow down the browser?
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:18.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App