0

I've got a GPO that is linked to the OU with all our user accounts.

I've got some printers in the GPO.
GPO > User Config > Preferences > Control Panel > Printers > (Printers)

I've enabled 'prevent deletion of printers.'
GPO > User Config > Policies > Administrative Templates > Control Panel > Printers > Prevent Deletion of Printers (Enabled)

I go to a user's computer. I update the policy with GPUPDATE /FORCE.
Printer shows up as expected. Right click printer > Remove Device. Success, printer removed.

What gives?

Thank you,

Chris

EDIT: GPRESULT from a user:

C:\Users\Marie>gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 5/11/2018 at 1:50:13 PM

RSOP data for SMC\mmckenzie on MARIE-PC : Logging Mode

OS Configuration: Member Workstation OS Version: 6.1.7601 Site Name: N/A Roaming Profile: N/A Local Profile: C:\Users\Marie Connected over a slow link?: No

USER SETTINGS

CN=Marie Hodges,OU=Accounts,OU=SMC,DC=i,DC=*REDACTED*,DC=com
Last time Group Policy was applied: 5/11/2018 at 1:35:16 PM
Group Policy was applied from:      SVR01.i.*REDACTED*.com
Group Policy slow link threshold:   500 kbps
Domain Name:                        SMC
Domain Type:                        Windows 2000

Applied Group Policy Objects
-----------------------------
    Mapped Drives
    Mapped Printers
    Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Local Group Policy
        Filtering:  Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    PrintGroup-Administration
    Authentication authority asserted identity
    High Mandatory Level

The user has the following security privileges
----------------------------------------------


Resultant Set Of Policies for User
-----------------------------------

    Software Installations
    ----------------------
        N/A

    Logon Scripts
    -------------
        N/A

    Logoff Scripts
    --------------
        N/A

    Public Key Policies
    -------------------
        N/A

    Administrative Templates
    ------------------------
        GPO: Mapped Printers
            KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDeletePrinter
            Value:       1, 0, 0, 0
            State:       Enabled

    Folder Redirection
    ------------------
        N/A

    Internet Explorer Browser User Interface
    ----------------------------------------
        N/A

    Internet Explorer Connection
    ----------------------------
        N/A

    Internet Explorer URLs
    ----------------------
        N/A

    Internet Explorer Security
    --------------------------
        N/A

    Internet Explorer Programs
    --------------------------
        N/A

C:\Users\Marie>

Chris Culp
  • 13
  • 4
  • I can't find any scenario in my testing where this doesn't work correctly. Are you filtering the GPO? – joeqwerty May 11 '18 at 16:03
  • Leave it to me to mess something up. I'm not entirely sure what you mean by filtering. The security filtering for this GPO only has Authenticated Users in the list. – Chris Culp May 11 '18 at 16:31
  • Yes. That's what I meant. Authenticated Users is the default, and as such, should work. Run gpresult on the machine while the user is logged on and post the resultant report in your question. – joeqwerty May 11 '18 at 16:55
  • It should work from the looks of it, yeah? – Chris Culp May 12 '18 at 15:51
  • Yes, it should. I can't see any reason why it wouldn't be working. In my lab tests it works perfectly. – joeqwerty May 15 '18 at 20:07
  • If I deploy the printer with a GPO in Print Management (the way you said I shouldn't do it) the policy will apply and I wont be able to delete printers. If I Item-Level Target like you suggested, the policy wont apply. What do you think about that? – Chris Culp May 15 '18 at 20:21
  • I tried it both ways in my lab and was prevented from deleting printers. Let me give it another go later and see what I can come up with. – joeqwerty May 15 '18 at 21:20

0 Answers0