How do you do....it? Thread, Install Colour printer only for staff - but flexibly... in Technical; As for everyone, printing here can cost a bit. We're not as bad as many but it's still been largely ...
10th November 2010, 11:40 AM #1
Install Colour printer only for staff - but flexibly...
As for everyone, printing here can cost a bit. We're not as bad as many but it's still been largely unrestricted so there is definitely room for improvement.
We're just about to go onto lease-hire to cut down costs, but I'd like to cut down usage as well - in particular, colour. First, the background.
At the moment there's a lot of redundant machines, because where we want colour for staff and mono for students, there are physically two printers - one colour, one mono, and the colour is only added for staff.
We're a vanilla Win2003 R2/XP environment, with printers added via GPO (pushprinterconnections.exe), and we do run PCounter (2.40), although we barely use it to any of its potential.
What we're doing
With the new lease hire printers, we're consolidating such situations to just one colour printer, and what I'd like is for staff to have colour available, and students to only have mono.
I want it to be able to add the relevant colour printer for a room, so ideally the GPO should be added to the computer OU, not the user. I can then create two printers in PCounter - one that is forced to mono (deletes any colour jobs) and one that allows colour that is only added for staff, through security filtering. If we can get hold of mono/colour drivers we can do it that way, instead.
Ideally I want to be able to add students to this group as necessary as well - i.e., coursework time, rather than the teacher having to do all the colour printing we can just add the relevant students into the group for the time being to allow them colour, and remove them at the end.
Just to add to the complication as well, I want a couple of rooms to always be able to print in colour (e.g. Art), regardless of who is logged on - so if it's a one off colour job, instead of the student having to be added to the group, log off, log on, print, we remove them from the group etc. - instead, they can just go to the relevant room and log on there to print in colour.
Can I create a GPO that uses pushprinterconnections as a user script, uses security filtering, and add this GPO to the computer OUs? Is it that easy? I could then create a separate GPO for the rooms that should always have colour that just pushes that out at a machine level.
Would it be easier, perhaps, to just add the printer once, as colour, but price colour in PCounter so that students can't afford to print? Staff are unlimited. We can then change a student to unrestricted when necessary. The always-colour-rooms just won't have the multiplier applied in PCounter.
Does other software do this better/easier? Paperclip gets mentioned a lot round here. Obviously, though, this involves spending money so I'm keen not to reinvent the wheel (as it were) by purchasing software to replace software we already own.
I'm going to play with options anyway, as much as anything this post is just about forcing me to put everything down in writing so I can work it through in my own head, but if anyone has already solved this problem with a flash of inspiration that I've so far been denied, please let me know!
ADDED BONUS: If anyone knows how to force the default printer as well, that'd be lovely, so I can make the mono option the default for staff. I suppose I could always add the mono-only exclusively for students, and colour for staff, and just default that printer to mono - might be better as they will just choose colour in the normal way then.
IDG Tech News
10th November 2010, 12:03 PM #2
Deploying printer information using a vbs as we do aloows us to set the default printer to whatever we require.
10th November 2010, 12:49 PM #3
We used scripting at my last place and it was always a horrible cludge :/ I know there will be a better way of doing it than the way it was done there, but it leaves a bad taste. GPO control is more flexible if we suddenly want to push a printer out to another room.
Obvious thought of obviousness: loopback processing is designed for just this scenario. Not that I've used it before, though, so could someone advise on best way to implement it? Should I add the printer as a computer script (startup) or user script (logon) if I use loopback processing?
11th November 2010, 12:59 PM #4
An update, after a day of frustration.
Loopback sort of works. Because the GPO is applied to machine OUs, the printer needs to be deployed per-machine, not per-user. Running pushprinterconnections at user logon does add the printer at a user level - it takes a few seconds after logon for it to appear, whereas the printers added at startup are already there.
So far, all good.
However, when I then try and apply security filtering - so that the GPO only applies to members of the DL Staff group - nothing happens. This is because the machine itself is not part of that group, so I add Domain Computers to the filtering as well. At that point, because the computer is always allowed the GPO, the printer is always added regardless of who logs on. This is completely useless to me.
I've not had a further chance to play today, but if anyone knows a way of making the security filtering operate on an AND basis instead of OR, or another way around this problem, please let me know. My next option is to create groups for the machines that reflect the rooms (therefore duplicating the OU structure, but with groups) so that I can then add the OU to the Staff OU and filter by computer group. I suspect that would work, but be a lot messier, a lot more work with creating the groups etc. and be harder to read what printers are where in AD. Right now you can expand a computer OU and see what printers are linked there; this way, you'd have some (the mono printers) added like that, others added in a long list at the top of the user OU tree, and the useful information hidden away in the groups.
Someone out there smarter than me at AD must have found a way around this already - any advice?
11th November 2010, 05:07 PM #5
Group Policy Preferences will do all of this, but only once it's patched with hotfixes as even the version shipped with Windows 7 doesn't work properly with OU or security group filtering.
If you're willing to push out the patches and have at least one Vista/7 machine to configure the policies, you could be in business.
Thanks to AngryTechnician from:
sonofsanta (15th November 2010)
12th November 2010, 10:07 AM #6
Alas, we are all XP, and my home PC & laptop are both Win7 Home so no joy there either
Originally Posted by AngryTechnician
Planning to try the groups thing today/Monday, this is all just very frustrating because it is just a logic problem and I should be able to brute force my way through it. Why does reality insist on dirtying up my pristine logical constructs?
12th November 2010, 10:18 AM #7
When we were on 2003, the best way we found is to run the script below from a batch file for each PC in the room. This only needs to be run once from your technicians PC and will deploy the printers permanently (unless of course you reimage etc when it needs running again).
REM this command file will add a network printer to a computer remotely
REM the parameters are:
REM 1 - the name of the computer to which the network printer is to be added
REM 2 - the UNC name of the printer to be added
REM for example, to add the printer called ThePrinter that is shared from the computer PrintServer
REM to the computer called TheClient:
REM key this command in a Command Prompt window:
REM addglobalprinterremotely theclient printserver\theprinter
REM add the specified printer to the specified computer
rundll32 printui.dll,PrintUIEntry /ga /c\\%1 /n\\%2
REM stop the print spooler on the specified computer and wait until the sc command finishes
start /wait sc \\%1 stop spooler
REM start the print spooler on the specified computer and wait until the sc command finishes
start /wait sc \\%1 start spooler
12th November 2010, 10:24 AM #8
Bit iffy about the scripting route because it's not as descriptive as AD is, but at this point I'm willing to give anything a go. Can't see anything in the script that would filter the installed printers based on the logged on user though?
Originally Posted by teejay
I should add to the general thread as well that I've tried denying student access to the printer, which does stop them printing, but it doesn't stop the printer from appearing in the printer list. If you try and select the error it throws an error, still shows the (incorrectly) selected printer in the drop down but actually sends the job to the last printer selected, which will just cause no end of confusion and complaints from students thinking they should be able to access it - particularly as the error doesn't say access denied, it waffles on about network issues etc.
So really, need to find a way to hide the printer altogether, or just stop it being added altogether. I'll have an answer soon, I'm sure, it's just finding time to investigate!
12th November 2010, 10:30 AM #9
If you create a batch file for each room which calls the script above for each machine , for instance:
Originally Posted by sonofsanta
call addprinterremotely.cmd machine1 printserver/printer1
call addprinterremotely.cmd machine2 printserver/printer1
All you do then is on the print server set a security group on the colour printer that denies access for all students.
This really was the easiest and most robust way we found of doing this, wish we could still do this in 2008 R2/W7. It also made it simple if staff wanted students to print in colour for a lesson as you just change the deny access to allow access on the security group.
Edit: if you deny all on the printer rather than just printing then its shouldn't appear.
Thanks to teejay from:
sonofsanta (15th November 2010)
15th November 2010, 10:52 AM #10
Seems like the script is doing the same thing as a GPO would, then, and it was the security filtering on the printer that actually prevents students from printing. Which I'm trying to do and having little success with, mystifyingly - with the Domain Local group "All Students" set to Deny on everything listed, applying to printer and documents, it is still showing the printer, it's just denying any action you try to take with it. Which is the effect I want, but with the added risk of students coming and complaining because they think they should be able to print to it. I've even denied Full Control to that group on the GPO and still the printer is visibly added at logon (even after unlinking the GPO, gpupdate, relink, gpupdate, so it is not because the printer is cached in the profile).
Originally Posted by teejay
I have time for further experimentation today, so I will try the computer groups approach, but so far I've not made much progress :/ really don't know why deny permissions on the printer aren't stopping this!
(and thanks added for your help so far, cheers)
15th November 2010, 12:15 PM #11
Right, I'm pretty much giving up on doing this with 2k3 GPO's now.
Trying to apply the GPO to the users and filter with a security group for the computers failed in the same way as before, albeit with the opposite result; adding that printer to all staff and trying to filter to apply to just the computers in one room just adds the printer to all staff, everywhere, all the time.
So I can filter by location OR by user type but not by both. Rubbish. My 2k8 servers can't come soon enough! (and probably won't come for ages yet if this year's budget is how I'm expecting it to be...)
Unless anyone has another stunning insight that has escaped me, then, or a way of running GP preferences on a pure 2k3/XP environment... I think I'll just do this with PCounter, by adding the printer twice, forcing one to mono, and setting the colour version to cost 51 credits to print to - thus preventing students from using it. This at least has the advantage of it being an immediate change if a student needs to print colour, without them needing to log off/on again. Disadvanage is they will all see the printer and try and use it and complain when it doesn't work.
Cheers to those who pitched in, can't believe this has been such a challenge, it seemed so obvious a request when I started working it out!
16th November 2010, 04:03 PM #12
Something I did last time we reconfigured the printing was to create two queues for each printer, one the real one and the other a fake (with the same driver) with a more descriptive name. The fake queue has an unconditional forward rule in PCounter to the real printer.
What this means is that if a printer dies or is replaced, you can change where the fake printer forwards to and it should be seamless to the users.
You can also then have multiple fakes, with different permissions for different charging levels for staff and students.
In terms of dishing out printers to machines, this is how we used to do it before 2008
On Error Resume Next
set wshnet = CreateObject("WScript.Network")
set wshshell = wscript.CreateObject("WScript.Shell")
username = wshnet.userName
domain = "yourdomain"
computername = wshnet.computerName
set adsgroup = GetObject("LDAP://ou=staff,dc=ad,dc=you,dc=sch,dc=uk")
if adsgroup.IsMember("LDAP://cn=" & username & ",ou=staff,dc=you,dc=sch,dc=uk") then
The member of stuff works for member of groups as well, although not recursively
set adsgroup = GetObject("LDAP://cn=staffprinter,ou=staff,dc=you,dc=sch,dc=uk")
Thanks to SteveBentley from:
sonofsanta (16th November 2010)
16th November 2010, 05:16 PM #13
I like the idea of fakes with the forwards - that might be easier than a few other ideas I've had. I'm going to sit down and hammer out my logic on this tomorrow and work out how I'm going to do it - I suspect there are a few approaches I could take, I just need to decide which is the cleanest.
16th November 2010, 08:11 PM #14
We use pushprinterconnections but its not brilliant, some sort of VBS script would be better based on computer name.
If you use PCounter you can put a rule in to disallow colour and allow if for a certain group of users.
I am based in North East Lincolnshire so if you need anything drop me a line and I will assist.
Thanks to MatthewL from:
sonofsanta (17th November 2010)
16th November 2010, 08:51 PM #15
You could have an else section so that if they are not a member of said group then it will loop through and remove all printers or I think you would normally do this before having said chunk of code to check which group(s) they are a member of
Thanks to mac_shinobi from:
sonofsanta (17th November 2010)
By bladedanny in forum Our Advertisers
Last Post: 18th March 2010, 03:45 PM
By ICTSM in forum Hardware
Last Post: 24th November 2009, 03:56 PM
By icttech in forum Windows Server 2000/2003
Last Post: 30th June 2009, 12:35 PM
By laserblazer in forum Hardware
Last Post: 16th December 2008, 12:39 PM
By Farwell in forum Hardware
Last Post: 9th May 2008, 10:30 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)