Printer mapping: GPO and Script

When setting up an Active Directory, one of the things you want to set up automatically is the mapping of printers to users.

Prerequisite:

  • Have a server with the Print Service role (optional). It is possible to share a printer from the control panel.
  • Have one or more shared printers.

As for the mapping of network drives, I will present two ways to do it, the first using Group Policy (GPO) and using a vbs script which must run at logon. .

Map a printer by GPO

Open the Group Policy Editor on a domain controller.

mappage imprimante : ouvrir le gestionnaire de stratégie

Create a new strategy, right-click on the domain name 1 or on an organizational unit and click on Create a GPO in this domain, and link here 2.

Mappage imprimante : nouvelle stratégie

Name the strategy 1 and click OK 2.

Nom de la stratégie

Modify the strategy, select the 1, right click on it and click on Modify … 2.

Edition de la stratégie

Go to User Configuration> Preferences> Windows Settings> Printers 1 and right click New 2> Shared printer 3.

Stratégie imprimantes au niveau utilisateur

Enter the share path 1 in the form \ SERVEUR \ NOM_DU_PARTAGE_DE_L_IMPRIMANTE. Go to the Common tab 2.

Chemin du partage

Optional: check the Execute in the security context of the logged in user A>> check box. Press the Apply button 1 then OK 2.

Contexte utilisateur

Printer 1 is added to the policy.

Imprimantes liste

Return to the strategy console, select the strategy 1, go to the Parameters 2 tab, the details should be visible 3.

Résumé des parametres

Limit printer mapping to a group

In this part we will see how to limit the mapping of a printer to a user group using Element Level Targeting.

This restriction does not change the printing rights, it will still be possible to mount the printer using Windows Explorer.

In the Active Directory Users and Computers console, add a group if you have not already done so. Give an explicit name to the group 1 and click OK 2. Then add the users in it.

Groupe utilisateur pour le ciblage

Return to the strategy of your printer 1 at the declaration level, right click on it and go to Properties 2.

Modification de l'imprimante

Go to the Common tab, check the Targeting box at the 1 element and press the Targeting … 2 button.

Activation du ciblage

Click on New element 1 then Security group 2.

Selection de l'élément groupe de securité

Click on the … 1 button.

Parcours de l'active directory

Enter the name of the group 1, click on Check names 2 to confirm the entry, then click OK 3.

Selection du groupe

Check that the 1 group has been taken into account and click OK 2.

Vérification de la prise en compte

Click on Apply 1 and on OK 2.

Validation des paramètres

Return to the Group Policy console, select the GPO 1, go to the Parameters tab 2 and check that the targeting parameters are present 3.

Aperçu des paramètres

If the parameters are not up to date, right click in the zone and refresh.

Printer mapping by script

Create a new text file with vbs.

Edit the file (Notepad ++, notepad…) and add the codes below:

Add the script to the logon to map the printer.

Limit printer mapping to an Active Directory group

As for the GPO, we will now modify the script to limit the mapping of the printer to the Grp_IMP_Copieur_Etage group.

Edit the file with the following code:

As we can see, two functions have been added at the end of the code, which allow the verification of the group membership of the connected user. The printer mapping is now subject to condition (if).

Troubleshooting

If the printers do not reassemble correctly this can be due to several reasons.

The main one is related to a security risk, you must deactivate the Pointer Restrictions parameter and print or configure the authorized server (s) for printing and installing the drivers.

If there are 32-bit stations, you must also install the drivers in this version.

As part of an RDS server, non-administrators are not authorized to install drivers.

Deactivate Point and Print Restriction

The parameter is found in Computer configuration and User configuration, depending on the application context, it must be deactivated in one or more places.

If you checked the “Execute in the security context of the logged on user” box, the GPO is applied in the user context. Logon scripts are also run in the user context.

  • Computer context: Computer Configuration> Policy> Administrative Templates> Printer> Point and Print Restriction.
  • User Context: User Configuration> Policy> Administrative Templates> Control Panel> Printers> Printer> Point and Print Restriction.

1. Créer une nouvelle GPO.

Go to the computer or user configuration at the Restriction parameter level Point and print and double click on it.

Check Disable 1, then Apply 2 and click OK 3.

Désactions Restriction Pointer et imprimer

Go to the GPO Settings tab.

Résumé Restriction Pointer et imprimer

Allow non-administrators to install drivers

Create a new GPO.

Go to the Devices setting to prevent users from installing printer drivers 1 found in: Computer configuration> Policies> Windows settings> Local policies> Security option.

Accès au paramètre

Check Define this policy setting 1, select Deactivate 2 then apply 3 and click OK 4.

Paramètre

Go to the GPO Settings tab.

Aperçu de la GPO



Leave a Comment