Security Filtering for GPO

Greetings!

I'm trying to introduce deployed printers that are deployed only to specific groups of people. We currently deploy about 50 printers per-machine and it's really causing lag when people to go print, and it's frustrating to dig through the list to find the right one.

We have existing security groups, and these are the steps I've taken:

1. Create 4 new GPOs. 1 for classrooms, 1 for faculty, 1 for staff, 1 for administration. Right now I'm testing with the staff.

2. Edit the GPO, add all desired printers to Computer Configuration -> Policies -> Windows Settings -> Deployed Printers

3. Set Security Filtering of the scope of the GPO to the Staff security group (which FYI consists entirely of departmental security groups, no users)

4. Create a new OU called Print Test, put my machine and the new GPO in it

After gpupdate, no printers arrive.

I've found out that if I leave Authenticated Users in the Security Filtering, I get the printers. However, as soon as I remove Authenticated Users and add the Staff group and gpupdate, the printers go away. Same thing if I add my user account instead of the group.

I've verified that, when the Staff group is the only group in the Security Filtering, in the Advanced Delegation, it does has permission to Read and Apply Policy, just like Authenticated Users does when it's there.

I'm stumped! Any ideas would be appreciated. :)

Thanks for the pointers! Didn't think to post an OS since this is a Win7 forum. Our machines are Win 7 Pro, domain controller is Server 2012. We are a school with around 1200 users.

I am supposed to know this but has been long time since actually use it, so bear with me:
- you are configuring computer conf but the filtering is users.
- authenticated users as far as I know does include computers
- when you remove authenticated users there is no computers left in the filter to read the GPO
- so try adding the machine to the security filtering instead of users

See Computer Accounts in the Authenticated Users Group | Security content from Windows IT Pro

I just went ahead and made a new GPO, printers deployed per-user.

Which setting is this? If it is a computer configuration it won't work with users, you have to assign to specific computers. Computer configuration is loaded before even any user logs on and is not controlled on a user basis. As far as I know' that's why there are 2 types of configurations in GPO.

So instead of trying to apply the GPO to users, add your computer account to your test group.

The new GPO was User Configuration -> Policies -> Windows Settings -> Printer Connections. My computer has been in the test OU all along.

I guess I owe it to you guys to go back to the big picture! :) We want to apply these 4 GPOs, each with different Security Filters according to security group that the desired users are in. All 4 of the GPOs will eventually go in to the OUs "Staff Computers" and "Classroom Computers." The goal is to have printers available to all these computers, but they are restricted to different sets of printers (different GPOs) depending on which user logs in.

In testing, I made a "Print Test" OU and put my computer, plus the GPO(s) being tested, in it. I've tried changing between

User Configuration -> Policies -> Windows Settings -> Printer Connections*
and
Computer Configuration -> Policies -> Windows Settings -> Printer Connections*

and changing the Security Filtering of hte GPO between "Authenticated Users" (which always works), the security group(s) I am a member of, and even my user account itself.

Hope this helps; maybe I'm not going about it the right way in the first place!

* "Printer Connections" seems to be interchangeable with "Deployed Printers." When listing the settings of the GPO, it says Printer Connections, but when editing, the menu tree says Deployed Printers.

Organizational Unit for administrational purposes of an Active Directory domain.

https://technet.microsoft.com/en-us/...(v=ws.10).aspx