Security Filtering for GPO

EricG1793 · Sep 14, 2015

Greetings!

I'm trying to introduce deployed printers that are deployed only to specific groups of people. We currently deploy about 50 printers per-machine and it's really causing lag when people to go print, and it's frustrating to dig through the list to find the right one.

We have existing security groups, and these are the steps I've taken:

1. Create 4 new GPOs. 1 for classrooms, 1 for faculty, 1 for staff, 1 for administration. Right now I'm testing with the staff.

2. Edit the GPO, add all desired printers to Computer Configuration -> Policies -> Windows Settings -> Deployed Printers

3. Set Security Filtering of the scope of the GPO to the Staff security group (which FYI consists entirely of departmental security groups, no users)

4. Create a new OU called Print Test, put my machine and the new GPO in it

After gpupdate, no printers arrive.

I've found out that if I leave Authenticated Users in the Security Filtering, I get the printers. However, as soon as I remove Authenticated Users and add the Staff group and gpupdate, the printers go away. Same thing if I add my user account instead of the group.

I've verified that, when the Staff group is the only group in the Security Filtering, in the Advanced Delegation, it does has permission to Read and Apply Policy, just like Authenticated Users does when it's there.

I'm stumped! Any ideas would be appreciated.

Layback Bear · Sep 14, 2015

I know I can't help you on such matters but those that can would surly like to know what operating system/s you are using.

Knowing what environment might also be useful,
50 printers per-machine is a lot. It kind of leaves out home user and small business.

EricG1793 · Sep 14, 2015

Thanks for the pointers! Didn't think to post an OS since this is a Win7 forum. Our machines are Win 7 Pro, domain controller is Server 2012. We are a school with around 1200 users.

GokAy · Sep 14, 2015

I am supposed to know this but has been long time since actually use it, so bear with me:
- you are configuring computer conf but the filtering is users.
- authenticated users as far as I know does include computers
- when you remove authenticated users there is no computers left in the filter to read the GPO
- so try adding the machine to the security filtering instead of users

See Computer Accounts in the Authenticated Users Group | Security content from Windows IT Pro

EricG1793 · Sep 14, 2015

Thanks for the suggestion! I originally tried per-user but switched to per-machine in troubleshooting.

I just went ahead and made a new GPO, printers deployed per-user. Again, if the Security Filtering is Staff, I see no printers; but when I switched to Authenticated Users, it works.

It seems like it must be something with that security group or my own account, but I'm not sure what to look for. The hierarchy is Staff OU -> Staff group -> Technology group -> Me. I also tried doing Domain Admins, which I'm also a member of. Still no dice.

Still, it won't work even if I put my account directly in the Security Filtering! :-\

Could it have something to do with which group(s) are my primary group(s)? We already ran across the issue with Azure AD sync and distribution groups where we have to set Domain Users as the primary group in order for people be included in messages sent to the mail-enabled security groups.

GokAy · Sep 15, 2015

I just went ahead and made a new GPO, printers deployed per-user.

Which setting is this? If it is a computer configuration it won't work with users, you have to assign to specific computers. Computer configuration is loaded before even any user logs on and is not controlled on a user basis. As far as I know' that's why there are 2 types of configurations in GPO.

So instead of trying to apply the GPO to users, add your computer account to your test group.

EricG1793 · Sep 15, 2015

The new GPO was User Configuration -> Policies -> Windows Settings -> Printer Connections. My computer has been in the test OU all along.

I guess I owe it to you guys to go back to the big picture!

We want to apply these 4 GPOs, each with different Security Filters according to security group that the desired users are in. All 4 of the GPOs will eventually go in to the OUs "Staff Computers" and "Classroom Computers." The goal is to have printers available to all these computers, but they are restricted to different sets of printers (different GPOs) depending on which user logs in.

In testing, I made a "Print Test" OU and put my computer, plus the GPO(s) being tested, in it. I've tried changing between

User Configuration -> Policies -> Windows Settings -> Printer Connections*
and
Computer Configuration -> Policies -> Windows Settings -> Printer Connections*

and changing the Security Filtering of hte GPO between "Authenticated Users" (which always works), the security group(s) I am a member of, and even my user account itself.

Hope this helps; maybe I'm not going about it the right way in the first place!

* "Printer Connections" seems to be interchangeable with "Deployed Printers." When listing the settings of the GPO, it says Printer Connections, but when editing, the menu tree says Deployed Printers.

Layback Bear · Sep 15, 2015

Clue me in folks. What is a (OU)?

GokAy · Sep 15, 2015

Organizational Unit for administrational purposes of an Active Directory domain.

https://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx

Security Filtering for GPO

EricG1793

New member

My Computer

Layback Bear

3 Brain Cells

My Computer

EricG1793

New member

My Computer

GokAy

New member

My Computer

EricG1793

New member

My Computer

GokAy

New member

My Computer

EricG1793

New member

My Computer

Layback Bear

3 Brain Cells

My Computer

GokAy

New member

My Computer

Similar threads