Printer Group Policy Query
Lee H
Member Posts: 1,135
Hi
Bit of a weird one so please bear with me....
Is there a way to block a Printer GP from an OU if its coming from above it.
Example - Building 1 has group policy 4 printers given to all rooms in building. All rooms in building 1 get all 4 printers. Sub OU of building 1 is called Room 1 which has its own printer and its own Printer GP assigning said printer. Is there a way to block the GP giving 4 printers to Room 1 so it just gets that 1 printer instead of 5.
If I choose block inheritance it removes all GP's coming from the root of the domain, whereas I only want to block specific Printer GP's
Hopefully that makes sense,
Your help is much appreciated.
Cheers
Lee
Bit of a weird one so please bear with me....
Is there a way to block a Printer GP from an OU if its coming from above it.
Example - Building 1 has group policy 4 printers given to all rooms in building. All rooms in building 1 get all 4 printers. Sub OU of building 1 is called Room 1 which has its own printer and its own Printer GP assigning said printer. Is there a way to block the GP giving 4 printers to Room 1 so it just gets that 1 printer instead of 5.
If I choose block inheritance it removes all GP's coming from the root of the domain, whereas I only want to block specific Printer GP's
Hopefully that makes sense,
Your help is much appreciated.
Cheers
Lee
.
Comments
That sound more work, than denying an OU read right to the Printer GP it is inheriting
Not sure how granular AD is were GPs are concerned,
An obvious answer would be remove the OU from being a sub OU and have it an OU all by itself with only 1 GP being applied.....but as it stands, we have a root OU for the dept/building with sub departments inside so it would be better structured if it remained this way
Hope that helps...
NetworkedMinds - http://www.youtube.com/networkedminds
MCSA / MCSE Educational Channel
Or you could create a specific GPO for the room 1 computers to add the only required printer and apply loopback processing which should prevent the other GPO's from adding there printers.
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-1%' for floor one
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-2%' for floor two
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-3%' for floor three
The comment I made above was denying a group of computers does not work.... I had a similar situation at work, I believe computers are part of authenticated users and we had to go the route of a WMI filter.
NetworkedMinds - http://www.youtube.com/networkedminds
MCSA / MCSE Educational Channel
I was really hoping that you could be selective on blocking certain GP's from inheritance but that feature must not be there. The current config of receiving 5 printers will have to stay like it is, not very tidy but tried my best.
Wouldn't be the first time ive wanted something from MS that was not there....
Last time I was trying to set a time on sending emails, the option is there to Delay until such a time and this can only be set on an individual email basis, what i wanted was to set my outlook so that it never sent an email outside of 9 AM till 5 PM, keeping them in my outbox until 9 AM. That feature too is not there.
I would need to block inheritance, then reapply all GPO's apart from the printer one
Surely MS wouldn't want us doing that much work!!
1- Restructure your OUs
2- GPO loopback processing - https://support.microsoft.com/en-us/kb/231287
3- Deny read to the GPO
4- WMI targeting or exemption depending on the how you want to do it.
5- Block inheritance on the computers OU, Force inheritance on the other GPOs you want to keep.
Your going to have to do a bit of researching and testing to see which one does exactly which on you want. But MS has put all these options in there, you're just ignoring all the suggestions.
Fastest is probably move your OU to a different level.