Managing Printers Using Group Policy (Part 1)
This article and the one following describe how to use Group Policy to manage printers in an Active Directory environment. Topics covered include controlling how printers are published in Active Directory, how printers can be tracked by location, how to disable Internet printing, how to prevent users from adding or deleting printers, and more
Group Policy simplifies management of many aspects of an Active Directory-based network. One of the areas Group Policy is useful has to do with managing printers. This article reviews various machine and user policies that can be used to configure shared printers in a domain environment. Afterward we’ll look at a third-party tool that gives you even more options for using Group Policy to manage printers.
Machine Policies for Printers
Figure 1 shows the Group Policy Object Editor of Windows Server 2003 with the policies found under Computer Configuration\Administrative Templates\Printers displayed in the right-hand pane:
Figure 1: Machine policies for managing printers. These policies apply to the domain, OU or site in which the target machines (domain controllers, print servers, or desktops depending on the policy) reside
The machine policies that govern printing can be summarized mainly under the following headings: publishing, pruning, searching, and some miscellaneous machine policies relating to Internet printing, drivers, and other stuff. Let’s look at each of these policy settings briefly.
Note:
Similar to other Group Policy settings, printer policies can be applied at the domain, site, or organizational unit level. For example, to manage printers in an OU (i.e. whose print servers have their computer accounts residing in the OU), create a new Group Policy Object and link it to the OU, then configure the policies described below.
Note:
All screenshots in this article were done on Windows XP and Windows Server 2003. Note that a few printer policies are named differently on Windows 2000.
Publishing
There are three policies that control how printers are published in Active Directory. Publishing a printer means creating an object in Active Directory that is a representation of the printer. If printers are published in Active Directory, users can search for a particular printer based on its name, location, and other properties. This makes it easier for users to find the appropriate printer for a specific job i.e. printing a batch job at night on a heavy duty laser printer, using a color printer, using the closest printer to their location, and so on.
Allow printers to be published
This policy determines whether printers can be published or not in Active Directory. By default, printers can be published, so there’s usually no need to explicitly enable this setting unless it was disabled previously. If you disable this setting however, printers cannot be published, and when you try and share a printer using the Sharing tab, the “List in the directory” option will be unavailable (Figure 2).
Figure 2: If the
Allow printers to be published policy is disabled, then the “List in the directory” checkbox shown here is not displayed
Automatically publish new printers in Active Directory
This policy only applies if the “Allow printers to be published”
policy is either enabled or not configured. If this is the case, then this policy causes new printers to be automatically published in Active Directory when you create and share them. If you would rather decide yourself which printers will be published and which ones will not, you can set this policy to Disabled and then publish your printers manually by selecting the “List in the directory” checkbox shown in Figure 2 above.
Note:
To manually publish downlevel (pre-Windows 2000) or non-Windows (e.g. Linux/UNIX) shared printers, right-click on a domain or OU and select New --> Printer using the Active Directory Users and Computers console.
If you’re experiencing intermittent problems with printers published in Active Directory, you can try enabling the
Check published state policy setting to verify whether published printers are still present in Active Directory. If this setting is not configured, then the domain controller this policy applies to will check published printers each time it boots up, however you can enable the policy and configure it to check more often if needed. Configuring this policy setting to Never is the same as disabling it completely.
Pruning
Pruning is a process by which printers that are published but which are no longer available on the network are removed from the directory to prevent users from trying to print to non-existent printers. Pruning can be useful in an environment where printers are frequently being added, removed, or moved around, or where print servers occasionally go down or printers get turned off when not in use. The policies described below apply only to domain controllers in the domain, site or OU to which your GPO applies.
Allow pruning of published printers
If this policy is enabled or not configured, printers are automatically pruned (unpublished) when the computer that published them (the print server) can’t be contacted by the domain controller. This is helpful because it means users don’t waste time trying to locate and print to printers that are unavailable on the network. Then, when the printer becomes available again on the network, the print server automatically republishes the printer in Active Directory and it shows up again when users are searching for printers in their location.
By default, domain controllers try and prune printers every 8 hours. If a printer can’t be contacted for some reason, the domain controller tries twice more before pruning the printer from the directory. If these default settings aren’t suitable for your business environment, you can tune them further using the following two policies:
- Directory pruning interval
- Directory pruning retry
In addition, if your domain controller is heavily used then you may need to elevate the priority of the pruning thread to ensure the pruning function operates optimally. This can be done by configuring the
Directory pruning priority policy setting.
If you are experiencing problems with the pruning process, you can enable the
Log directory pruning retry events policy setting to help you troubleshoot things. Doing so will cause each pruning attempt to be logged as an event in the Event log. Disabling this setting or leaving it not configured will cause only successful pruning operations to be logged. Note however that this particular policy only applies to Windows XP and Windows Server 2003, and not to Windows 2000 machines.
Pruning downlevel (pre-Windows 2000) and non-Windows (e.g. Linux/UNIX) shared printers is handled by two another policy named
Prune printers that are not automatically republished. If this policy is enabled or not configured, non-Windows and downlevel (NT and earlier) printers that have been manually published in Active Directory are never pruned. This setting can be modified to prune such printers when they become available, but doing so means you’ll have to manually republish them when they become available again, so it’s generally best to leave this policy alone and manually prune these printers from the directory when they are permanently removed from the network (you can do this by deleting the Printer object you previously created for them using Active Directory Users and Computers).
Searching
When you create a new printer and share it using the Add Printer Wizard you can specify a location and describe the use or properties of the printer (Figure 3):
Figure 3: Specifying a location for a printer
This location information is stored in Active Directory as an attribute of the Printer object associated with the printer (assuming the printer is being published in Active Directory). Users can then search for a printer based on text in the Location field (Figure 4):
Figure 4: Searching for a printer by location.
For searches like this to be successful however, the user needs to be able to specify the location properly. For example, if the user typed “third” instead of “3rd” then the search above would fail.
To simplify searches for nearby printers, you can implement
location tracking, a feature of Windows 2000 and later. Then you can configure how location tracking is used so that users can more easily locate printers that are near to them on the network. The two policies that are used to configure location tracking are the
Pre-populate printer search location text and
Computer location policy settings. Using these policy settings causes a Browse button to appear beside the Location field in the Find Printers dialog box (compare previous figure with Figure 5 below):
Figure 5: Location tracking adds a Browse button beside the Location field in the Find Printers dialog.
Setting up location tracking in your Active Directory environments requires that you have Subnet objects created for each physical subnet on your network and location attributes defined for Site and Subnet objects. To learn how to set up location tracking, search for the topic “Enabling printer location tracking” using Windows 2000/2003 Help and Support. Once location tracking is set up on your network, users can find nearby printers so they won’t have to walk long distances (or perhaps book a flight) to pick up their print jobs from remote locations.
The second article in this series, entitled Managing Printers Using Group Policy: Part 2, will continue by examining additional machine policies for managing printers, user policies, and a third-party tool that extends Group Policy’s capabilities for managing printers.