Best Practice for Printer Deployment

Christopher Perez 1 Reputation point
2022-09-23T18:51:01.883+00:00

Hello

I have read a lot of different articles on the matter but I wanted to approach it from scratch.

I have an existing Print Server and the previous administrator developed/deployed some of the printers via GPO. My organization is small (around 200 computers, and 50 printers). My administrator knowledge is beginner/entry and I do not other technical experts in my department. In Print Mgmt, I created a couple GPOs and ran into a couple of problems. In the end, I removed all of them and reverted back to installing printers the manual way.

In my environment, I think GPO deployment is the best fit. I would like the printers deployed based on computer GPO as a standard. On a per-request basis, I would like to develop a user GPO to satisfy the odd user who moves around computers.

Thank you all in advance for your questions, feedback, and advise. It is greatly appreciated.

Christopher

Windows for business | Windows Server | User experience | Print jobs
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Alan Morris 1,336 Reputation points
    2022-09-27T02:49:12.35+00:00

    @Christopher Perez

    Do you own your print environment? By this I mean, is the print server secure?

    If yes, then allowing clients to connect and obtain the print driver would not really be much risk.

    If you wish to retain the new default, then using Type 4 drivers which are available from Windows Update will provide the best user experience since the print driver will be delivered to the client system from Windows Update. No Type 4 drivers are ever copied from the print server.

    For Type 3 drivers with a secure print server, you can set the GPO setting Computer \ Admin Templates\ Printers \ Limits print driver installation to Administrators to Disabled. This will add a registry on the client system HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators with a value of 0

    If you can set the clients so they can only connect to shares from your print server, modify either Computer \ Admin Templates\ Printers \ Point and Print Restrictions OR Computer \ Admin Templates\ Printers \ Package Point and print - Approved servers with your print server name(s)

    This way they can't connect to a rouge print server with malicious print drivers.

    If folks take computers home and connect to a shared printer from a Windows 10 system in their home network, they will get a message they are blocked by policy. Connecting to a network printer over WSD or Standard TCP/IP Port is not blocked.

    Connections to shared printers and network printers. They sound the same but have always made the conversation confusing.

    You can contact me if you want to discuss. Let me know and I can provide crumbs so we can set something up. I'm in Bellevue, WA. Pacific time zone.

    1 person found this answer helpful.
    0 comments No comments

  2. Alan Morris 1,336 Reputation points
    2022-09-25T11:22:45.623+00:00

    Connections to shared printers have always been a per user setting.

    Even the Deployed Printers Computer policy will add a connection to the share for all users on the computer, the connection is user based not machine based.

    Group Policy Preferences Printers can only add connections for the User policy.

    The newish default from Microsoft for connections using Type 3 drivers is admin rights to add the software from the print server. You might know this software as the print driver.

    When the printer is set up using a Type 4 driver, then no admin rights are required since no software is download from the print server.

    The client experience is typically degraded but at least they can print.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.