Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This section specifies the processing events and sequencing for an administrator adding a printer connection to a GPO.
The Deployed Printer Connections administrative tool plug-in receives extension-specific information from a user interface and writes the data in conformance with [RFC2251].
One msPrint-ConnectionPolicy object is created for each Deployed Printer Connection setting that is received from the user interface.
The Deployed Printer Connections administrative tool plug-in sends a message to the DC indicating that a new printer connection setting SHOULD be added to a GPO. This message is sent using the LDAP as a transport. Authentication MUST be either Kerberos with credentials in Unicode for computer policy mode, or Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) [MS-SPNG] for user policy mode.
The following protocol sequences MUST be generated to add a printer connection to a GPO:
The administrative tool plug-in MUST send an LDAP BindRequest to Active Directory, and Active Directory MUST generate an LDAP BindResponse in reply. The parameters for the BindRequest MUST include a zero-length string for the distinguished name (DN) parameter; and the authentication choice MUST be either Kerberos for computer policy mode, or SPNEGO for user policy mode. The value of the version field MUST be 3.
The administrative tool plug-in MUST wait for a successful BindResponse from Active Directory.
The user interface administrative tool SHOULD allow the network administrator to specify:
The LDAP address of the GPO that is to be modified.
A choice of modifying either the Machine section or the User section of the GPO, so that the connections can be added for either all users of the computer or only one user.
The UncPath of the printer connection that is to be added.
Using the LDAP address that was obtained from a successful BindResponse, the client MUST send an LDAP AddRequest message to create a container, as specified in PushedPrinterConnections Container Creation (section 2.2.1.1), in one of the following locations, where <x>, <y>, <z> is the FQDN of the domain/LDAP server, and <GPO_GUID> is the curly braced GUID string containing the GUID of the GPO that the administrator selected in the user interface.
Printer connection settings in the User section of the GPO MUST use this location:
CN=PushedPrinterConnections, CN=User, CN=<GPO_GUID>, CN=Policies, CN=System, DC=<x>, DC=<y>, DC=<z>
Printer connection settings in the Machine section of the GPO MUST use this location:
CN=PushedPrinterConnections, CN=Machine, CN=<GPO_GUID>, CN=Policies, CN=System, DC=<x>, DC=<y>, DC=<z>
If the resultCode field of the corresponding LDAP AddResponse message is nonzero, this protocol sequence MUST skip the intervening steps and the administrative tool plug-in MUST make an LDAP UnbindRequest to close the connection.
The administrative tool plug-in MUST send an LDAP AddRequest message, as specified in Printer Connections Creation (section 2.2.1.2), to add an msPrint-ConnectionPolicy object in the PushedPrinterConnections container (section 2.2.1.1) that was created in the previous step.
If the resultCode field of the corresponding LDAP AddResponse message is nonzero, this protocol sequence MUST skip the intervening steps and the administrative tool plug-in MUST make an LDAP UnbindRequest to close the connection.
The administrative tool plug-in MUST invoke the task Group Policy Extension Update ([MS-GPOL] section 3.3.4.4).
An LDAP UnbindRequest MUST be made by the administrative tool plug-in to close the connection.