Printer Group Policy Query
Lee H
Member Posts: 1,135
Hi
Bit of a weird one so please bear with me....
Is there a way to block a Printer GP from an OU if its coming from above it.
Example - Building 1 has group policy 4 printers given to all rooms in building. All rooms in building 1 get all 4 printers. Sub OU of building 1 is called Room 1 which has its own printer and its own Printer GP assigning said printer. Is there a way to block the GP giving 4 printers to Room 1 so it just gets that 1 printer instead of 5.
If I choose block inheritance it removes all GP's coming from the root of the domain, whereas I only want to block specific Printer GP's
Hopefully that makes sense,
Your help is much appreciated.
Cheers
Lee
Bit of a weird one so please bear with me....
Is there a way to block a Printer GP from an OU if its coming from above it.
Example - Building 1 has group policy 4 printers given to all rooms in building. All rooms in building 1 get all 4 printers. Sub OU of building 1 is called Room 1 which has its own printer and its own Printer GP assigning said printer. Is there a way to block the GP giving 4 printers to Room 1 so it just gets that 1 printer instead of 5.
If I choose block inheritance it removes all GP's coming from the root of the domain, whereas I only want to block specific Printer GP's
Hopefully that makes sense,
Your help is much appreciated.
Cheers
Lee
.
Comments
-
jahaziel Member Posts: 175 ■■■□□□□□□□If you have all people in that building a certain group, you can deny them read rights to the gpo. I believe that should work.
-
Lee H Member Posts: 1,135There could be an endless amount of users, even new users, would i need to group them all and then give that group deny read on the Printer GP
That sound more work, than denying an OU read right to the Printer GP it is inheriting. -
Lee H Member Posts: 1,135Or does this still come under a Computer GP, could I deny all Users who are logging into these PC's deny read to the Printer OU
Not sure how granular AD is were GPs are concerned,
An obvious answer would be remove the OU from being a sub OU and have it an OU all by itself with only 1 GP being applied.....but as it stands, we have a root OU for the dept/building with sub departments inside so it would be better structured if it remained this way. -
jahaziel Member Posts: 175 ■■■□□□□□□□I believe that's the only way since you can only block inheritance for the OU.
-
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□Would adding a GP to the Room 1 computers OU that removes all the printers and just adds the one printer for Room 1 work?
-
bohack Member Posts: 114Denying a GPO via a group of users does not work (i.e. deny of application of GPO)... In theory it should however it does not. You are looking to do Location Aware Printing/Printer Location Tracking, it requires a different subnet per each floor of the building. Although it won't deny a user from adding the printer manually it will only allow the user to see the printers on their floor. I have a video on a lab I did... it's the last scenario I think. https://youtu.be/56OowN5tJww
Hope that helps...______________________________________________________________
NetworkedMinds - http://www.youtube.com/networkedminds
MCSA / MCSE Educational Channel -
pjd007 Member Posts: 277 ■■■□□□□□□□I think you need to block inheritance on the roomn 1 OU then enforce whichever policies from above that you want to apply to those machines.
Or you could create a specific GPO for the room 1 computers to add the only required printer and apply loopback processing which should prevent the other GPO's from adding there printers. -
bohack Member Posts: 114I think I have a another fix for you! GPO Preferences or a WMI filter if the computers are names properly.. Like wrk-1-1, wrk-2-1, wrk-3-1 (name-floor-node)... four floors, one GPO, four preferences with targeting and a WMI filter:
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-1%' for floor one
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-2%' for floor two
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-3%' for floor three
The comment I made above was denying a group of computers does not work.... I had a similar situation at work, I believe computers are part of authenticated users and we had to go the route of a WMI filter.
______________________________________________________________
NetworkedMinds - http://www.youtube.com/networkedminds
MCSA / MCSE Educational Channel -
Lee H Member Posts: 1,135Thanks for your help guys, much appreciated
I was really hoping that you could be selective on blocking certain GP's from inheritance but that feature must not be there. The current config of receiving 5 printers will have to stay like it is, not very tidy but tried my best.
Wouldn't be the first time ive wanted something from MS that was not there....
Last time I was trying to set a time on sending emails, the option is there to Delay until such a time and this can only be set on an individual email basis, what i wanted was to set my outlook so that it never sent an email outside of 9 AM till 5 PM, keeping them in my outbox until 9 AM. That feature too is not there.. -
pjd007 Member Posts: 277 ■■■□□□□□□□Thanks for your help guys, much appreciated
I was really hoping that you could be selective on blocking certain GP's from inheritance but that feature must not be there. The current config of receiving 5 printers will have to stay like it is, not very tidy but tried my best.
Wouldn't be the first time ive wanted something from MS that was not there....
Last time I was trying to set a time on sending emails, the option is there to Delay until such a time and this can only be set on an individual email basis, what i wanted was to set my outlook so that it never sent an email outside of 9 AM till 5 PM, keeping them in my outbox until 9 AM. That feature too is not there. -
Lee H Member Posts: 1,135We have almost 20 GPO's that are being applied to each PC
I would need to block inheritance, then reapply all GPO's apart from the printer one
Surely MS wouldn't want us doing that much work!!. -
cruwl Member Posts: 341 ■■□□□□□□□□You've been given several options
1- Restructure your OUs
2- GPO loopback processing - https://support.microsoft.com/en-us/kb/231287
3- Deny read to the GPO
4- WMI targeting or exemption depending on the how you want to do it.
5- Block inheritance on the computers OU, Force inheritance on the other GPOs you want to keep.
Your going to have to do a bit of researching and testing to see which one does exactly which on you want. But MS has put all these options in there, you're just ignoring all the suggestions.
Fastest is probably move your OU to a different level.