Printer Group Policy Query

Hi

Bit of a weird one so please bear with me....

Is there a way to block a Printer GP from an OU if its coming from above it.

Example - Building 1 has group policy 4 printers given to all rooms in building. All rooms in building 1 get all 4 printers. Sub OU of building 1 is called Room 1 which has its own printer and its own Printer GP assigning said printer. Is there a way to block the GP giving 4 printers to Room 1 so it just gets that 1 printer instead of 5.

If I choose block inheritance it removes all GP's coming from the root of the domain, whereas I only want to block specific Printer GP's

Hopefully that makes sense,

Your help is much appreciated.

Cheers

Lee

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

jahaziel

If you have all people in that building a certain group, you can deny them read rights to the gpo. I believe that should work.

Lee H

There could be an endless amount of users, even new users, would i need to group them all and then give that group deny read on the Printer GP

That sound more work, than denying an OU read right to the Printer GP it is inheriting

Lee H

Or does this still come under a Computer GP, could I deny all Users who are logging into these PC's deny read to the Printer OU

Not sure how granular AD is were GPs are concerned,

An obvious answer would be remove the OU from being a sub OU and have it an OU all by itself with only 1 GP being applied.....but as it stands, we have a root OU for the dept/building with sub departments inside so it would be better structured if it remained this way

jahaziel

I believe that's the only way since you can only block inheritance for the OU.

NetworkNewb

Would adding a GP to the Room 1 computers OU that removes all the printers and just adds the one printer for Room 1 work?

bohack

Denying a GPO via a group of users does not work (i.e. deny of application of GPO)... In theory it should however it does not. You are looking to do Location Aware Printing/Printer Location Tracking, it requires a different subnet per each floor of the building. Although it won't deny a user from adding the printer manually it will only allow the user to see the printers on their floor. I have a video on a lab I did... it's the last scenario I think. https://youtu.be/56OowN5tJww

Hope that helps...

pjd007

I think you need to block inheritance on the roomn 1 OU then enforce whichever policies from above that you want to apply to those machines.

Or you could create a specific GPO for the room 1 computers to add the only required printer and apply loopback processing which should prevent the other GPO's from adding there printers.

bohack

I think I have a another fix for you! GPO Preferences or a WMI filter if the computers are names properly.. Like wrk-1-1, wrk-2-1, wrk-3-1 (name-floor-node)... four floors, one GPO, four preferences with targeting and a WMI filter:

SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-1%' for floor one
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-2%' for floor two
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE 'wrk-3%' for floor three

The comment I made above was denying a group of computers does not work.... I had a similar situation at work, I believe computers are part of authenticated users and we had to go the route of a WMI filter.

Lee H

Thanks for your help guys, much appreciated

I was really hoping that you could be selective on blocking certain GP's from inheritance but that feature must not be there. The current config of receiving 5 printers will have to stay like it is, not very tidy but tried my best.

Wouldn't be the first time ive wanted something from MS that was not there....

Last time I was trying to set a time on sending emails, the option is there to Delay until such a time and this can only be set on an individual email basis, what i wanted was to set my outlook so that it never sent an email outside of 9 AM till 5 PM, keeping them in my outbox until 9 AM. That feature too is not there.

pjd007

Lee H wrote: »

Thanks for your help guys, much appreciated

I was really hoping that you could be selective on blocking certain GP's from inheritance but that feature must not be there. The current config of receiving 5 printers will have to stay like it is, not very tidy but tried my best.

Wouldn't be the first time ive wanted something from MS that was not there....

Last time I was trying to set a time on sending emails, the option is there to Delay until such a time and this can only be set on an individual email basis, what i wanted was to set my outlook so that it never sent an email outside of 9 AM till 5 PM, keeping them in my outbox until 9 AM. That feature too is not there.

The option is there, block inheritance will work but it requires more administrative effort to manage and it sounds like you're not willing to do that.

Lee H

We have almost 20 GPO's that are being applied to each PC

I would need to block inheritance, then reapply all GPO's apart from the printer one

Surely MS wouldn't want us doing that much work!!

cruwl

You've been given several options

1- Restructure your OUs
2- GPO loopback processing - https://support.microsoft.com/en-us/kb/231287
3- Deny read to the GPO
4- WMI targeting or exemption depending on the how you want to do it.
5- Block inheritance on the computers OU, Force inheritance on the other GPOs you want to keep.

Your going to have to do a bit of researching and testing to see which one does exactly which on you want. But MS has put all these options in there, you're just ignoring all the suggestions.

Fastest is probably move your OU to a different level.