1

Sorry for long preamble and thanks in advance to one who could read it all.

I have about 60 network printers. Some are in HQ, some are in distant locations (from 1 to 300 km away of HQ). Some locations have print-servers, some does not. Locations without PSs are served by HQ's printserver. Printers are assigned via GPO/user/preferences/control panel. It is impossible to deploy these via GPO, because our "chief HQ" (upper level IT dept) disallowed site admins to create their own GPOs, we can use only limited number of GPOs and write tons of similar GPO rules to connect printers and shares to specific groups of users.

For example, Accounting dept have its internal number of 008. Then, all members of group dept_008 must have full access to the share "docs_008" and to two printers (MFU), for example prn015 and prn027: the accounting dept occupies two large rooms (prn015 is in the room #310, and prn027 is in #312) and there is one MFU per room. Naming of depts and devices is irrelevant to room numbers

I created 4 (four!) groups for ruling these printers:

  1. Group dept_008 is a member of groups use_prn015 and use_prn027, to get both printers connected to all 008's workers: should one MFU fail, they can continue to print and to scan on MFU in next room.
  2. Workers in room #310 will have prn015 as default printer, and from #312 - prn027 as default. Then some of dept_008's workers are members of use_prn015def and some others are in use_prn027def, where "def" stands for "default printer"

Our top-brass thinks that the end-user is too busy to make him/her to learn "how to choose default printer" - they think that it must be IT dept's headache. Then the GPO rules handles the situation: "if user is in the use_XXXdef then connect prnXXX and make it default printer, otherwise, if user is in use_XXX then connect prnXXX and do not make it default, else do not connect prnXXX at all".

And I have about 120 rules, because GPO isn't flexible enough to allow conditional default/non-default connection: I can (in one rule) connect the printer as default, or as non-default.

Thank you for reading until here. This is the end of preamble.

Now we bought prn030 to replace aging prn015. Prn015 is still in good conditions, and it will replace obsolete prn001 in distant location. The name of printer is permanent: printer will have this name for all its useful life - 3 digits in the name allows us to create enough unique names :-) But this printer now must be controlled by another print-server (i.e. ps002), which is in that distant location. And I must change GPO rules to connect ps002\prn015 instead of ps002\prn001 and of psHQ\prn015.

It is OK, when one printer moves per one-two months. But some times it is required to move much more printers to another printserver and that is a real headache - to re-write all these rules and re-assign printers on print-servers.

OK, I can control every printer with every print-server, disabling the printers which aren't in same location as print-server. (for example, distant ps002 have pre-defined shared printer prn030, but will not serve it) But re-writing rules... OMG!

I could not find any useful answer of how to re-write these GPO rules without thousands of mouse clicks within GP management editor: I have no idea how to script this process, for example supplying the 2-column list to some program which will made the modifications necessary to replace all "psHQ" with "psHQ1", "psHQ\prn015" with "ps002\prn015" in ALL rules in ALL GPOs applicable etc... Is it possible - to modify GPO rules without GUI?

More, my boss dreaming about automatically choosing the PS relative to user's login location. For example, if user from location002 logged-in (AD domain) in locationHQ computer, he must get his "new" prn015, but he must get psHQ\prn015 instead of ps002\prn015 - someone convinced him unshakable that such connection (local PC - local PS - distant printer) will work faster than (local PC - distant PS - distant printer). I can do this with additional complex GPO rules, but I will crash my head into a wall, should I imagine the amount of rules I must write for...

So, I have only two options:

  1. to write miles-long login script, which will handle all and every possible configurations
  2. to create enough GPO rules for the same

I prefer GPO rules. Any suggestions for automated creation/modification of these rules?

Thank you!

Troublemaker-DV
  • 174
  • 3
  • 12

1 Answers1

1

For bulk edits to the UNC's of printer shares:
In GPMC backup the GPO. In the backup directory there will be a file named "printers.xml". Use notepad to Search/Replace "\\serverX\printer1" with "\\serverY\printer1". Back in GPMC, restore that GPO. It will read the modified XML and your changes will be made.

Printer connections based on login location:
Do you have different AD Sites to represent these locations? Policies can be linked to AD Site objects. You could augment and/or replace your OU based printer GPO's with GPO's linked to the AD Site objects. In GPMC, right click the sites node, select Show Sites, choose some sites, right click a site, select Link an Existing GPO. Another option would be to use the "item level targeting" within the GPPref printers. ILT can leverage AD Sites (if you have them) or subnet ranges of desktops (if you don't have sites). If your rights are limited, the next level up of IT support should probably handle the site based printer connections.

enter image description here enter image description here

Clayton
  • 4,523
  • 17
  • 24
  • Thank you, Craig. I think I will use this backup-based approach. – Troublemaker-DV May 08 '15 at 04:30
  • But second part is impossible: upper level admins prohibited lower levels (in organization hierarchy) like me almost anything. I can't create/delete GPO: I must supply the application to higher level, and should they accept my reasons for new GPO creation, they will create it. Or they can reject my application without any explanations except for "It is unneccessary. DIXI". Of course, I can't link GPOs to places I need to. – Troublemaker-DV May 08 '15 at 04:33
  • I'm the site admin. Our "superHQ" hosts our domain-level admins. And "hyperHQ" hosts forest' admins. And every top thinks that he must put as much as possible restrictions on lower ones. My GPO rules (for printers and shares) heavily rely on "targeting". But this targeting solves only one equation: "if (some conditions set) is true, do that, otherwise do nothing", whila I need something like "case/select" function: "if user's comp in location001, connect him prnsrv01\prn001, elsif if user's comp in location002, connect psrnsrv002\prn001, else don't connect anything" – Troublemaker-DV May 08 '15 at 04:49
  • You can accomplish that kind of site mapping with GPPrefs and and IP Ranges filter on the printer connection in one of your existing GPO's. See pics I added to answer. It's customary here to mark answers as "accepted" if they've helped you. You click the check mark in the upper left of the answer. – Clayton May 08 '15 at 14:31
  • My task is not accomplished yet, so I can't mark question answered. (and I could not access this site for about 5 days) – Troublemaker-DV May 11 '15 at 22:42
  • As to added pictures. I know what targeting is. May be my English is not perfect enough, but above I tried to explain: the targeting is clarification for only one decision - "to connect" or "not to connect". But it is impossible to choose from more than these 2 results. Or it is possible IN ONE GPO rule? – Troublemaker-DV May 11 '15 at 22:56
  • So, when I should choose between "not connect", "connect via server1", "via server2", "via serverN", I must to write several rules for same printer: "not or via server1", "not or via server2" etc... Or I'm wrong and it is possible via targeting? – Troublemaker-DV May 11 '15 at 22:58
  • (you may start laughing) Our domain-level admins know NOTHING about GPPref printer connections. I'm deadly serious. They prefer to send low-rank technician to manually setup connections - directly or via remote access software. They DO NOT use this kind of automatization. I made them to know that it is possible - to connect different printers to same w/s regarding to user logged in. – Troublemaker-DV May 11 '15 at 23:02
  • \\srv1\prn1 and \\srv2\prn1 are different connections even though they are the same printer. You can define as many different printer connections as you like. Each connection has its own GPPrefs filter, although you will probably use the a few of the same GPPrefs over and over again. Printer connections where the GPPref evaluates True will be connected, those that are not true, will not be connected. – Clayton May 12 '15 at 18:09
  • OMG! That is what I talking about! I looked for a way to not write tons of GPO rules per printer or for painless way to copy-paste these rules without thousands of mouse clicks (especially because GPO editor loves to clear the copy-paste buffer between edits). It seems to be impossible in manner other than editing backups of GPO. :-( – Troublemaker-DV May 12 '15 at 21:42
  • Thats why I mentioned site based GPO's. If your company was structured better and you could do that, then you would not need to go through the tedium of GPPrefs. Linking printer GPOs to the sites would eliminate the need to do any of that. – Clayton May 13 '15 at 13:45
  • Craig, I know that. When I ruled our local domain, we used all benefits at maximum. Now my hands are tied behind the back – Troublemaker-DV May 13 '15 at 21:53