+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 29
How do you do....it? Thread, Install Colour printer only for staff - but flexibly... in Technical; As for everyone, printing here can cost a bit. We're not as bad as many but it's still been largely ...
  1. #1

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533

    Install Colour printer only for staff - but flexibly...

    As for everyone, printing here can cost a bit. We're not as bad as many but it's still been largely unrestricted so there is definitely room for improvement.

    We're just about to go onto lease-hire to cut down costs, but I'd like to cut down usage as well - in particular, colour. First, the background.

    Current Situation
    At the moment there's a lot of redundant machines, because where we want colour for staff and mono for students, there are physically two printers - one colour, one mono, and the colour is only added for staff.

    We're a vanilla Win2003 R2/XP environment, with printers added via GPO (pushprinterconnections.exe), and we do run PCounter (2.40), although we barely use it to any of its potential.

    What we're doing
    With the new lease hire printers, we're consolidating such situations to just one colour printer, and what I'd like is for staff to have colour available, and students to only have mono.

    I want it to be able to add the relevant colour printer for a room, so ideally the GPO should be added to the computer OU, not the user. I can then create two printers in PCounter - one that is forced to mono (deletes any colour jobs) and one that allows colour that is only added for staff, through security filtering. If we can get hold of mono/colour drivers we can do it that way, instead.

    Ideally I want to be able to add students to this group as necessary as well - i.e., coursework time, rather than the teacher having to do all the colour printing we can just add the relevant students into the group for the time being to allow them colour, and remove them at the end.

    Just to add to the complication as well, I want a couple of rooms to always be able to print in colour (e.g. Art), regardless of who is logged on - so if it's a one off colour job, instead of the student having to be added to the group, log off, log on, print, we remove them from the group etc. - instead, they can just go to the relevant room and log on there to print in colour.

    Options
    Can I create a GPO that uses pushprinterconnections as a user script, uses security filtering, and add this GPO to the computer OUs? Is it that easy? I could then create a separate GPO for the rooms that should always have colour that just pushes that out at a machine level.

    Would it be easier, perhaps, to just add the printer once, as colour, but price colour in PCounter so that students can't afford to print? Staff are unlimited. We can then change a student to unrestricted when necessary. The always-colour-rooms just won't have the multiplier applied in PCounter.

    Does other software do this better/easier? Paperclip gets mentioned a lot round here. Obviously, though, this involves spending money so I'm keen not to reinvent the wheel (as it were) by purchasing software to replace software we already own.

    -----

    I'm going to play with options anyway, as much as anything this post is just about forcing me to put everything down in writing so I can work it through in my own head, but if anyone has already solved this problem with a flash of inspiration that I've so far been denied, please let me know!

    ADDED BONUS: If anyone knows how to force the default printer as well, that'd be lovely, so I can make the mono option the default for staff. I suppose I could always add the mono-only exclusively for students, and colour for staff, and just default that printer to mono - might be better as they will just choose colour in the normal way then.

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,965
    Thank Post
    587
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    Deploying printer information using a vbs as we do aloows us to set the default printer to whatever we require.

    Ben

  3. #3

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    We used scripting at my last place and it was always a horrible cludge :/ I know there will be a better way of doing it than the way it was done there, but it leaves a bad taste. GPO control is more flexible if we suddenly want to push a printer out to another room.

    Obvious thought of obviousness: loopback processing is designed for just this scenario. Not that I've used it before, though, so could someone advise on best way to implement it? Should I add the printer as a computer script (startup) or user script (logon) if I use loopback processing?

  4. #4

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    An update, after a day of frustration.

    Loopback sort of works. Because the GPO is applied to machine OUs, the printer needs to be deployed per-machine, not per-user. Running pushprinterconnections at user logon does add the printer at a user level - it takes a few seconds after logon for it to appear, whereas the printers added at startup are already there.

    So far, all good.

    However, when I then try and apply security filtering - so that the GPO only applies to members of the DL Staff group - nothing happens. This is because the machine itself is not part of that group, so I add Domain Computers to the filtering as well. At that point, because the computer is always allowed the GPO, the printer is always added regardless of who logs on. This is completely useless to me.

    I've not had a further chance to play today, but if anyone knows a way of making the security filtering operate on an AND basis instead of OR, or another way around this problem, please let me know. My next option is to create groups for the machines that reflect the rooms (therefore duplicating the OU structure, but with groups) so that I can then add the OU to the Staff OU and filter by computer group. I suspect that would work, but be a lot messier, a lot more work with creating the groups etc. and be harder to read what printers are where in AD. Right now you can expand a computer OU and see what printers are linked there; this way, you'd have some (the mono printers) added like that, others added in a long list at the top of the user OU tree, and the useful information hidden away in the groups.

    Someone out there smarter than me at AD must have found a way around this already - any advice?

  5. #5

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,723
    Thank Post
    695
    Thanked 1,206 Times in 759 Posts
    Rep Power
    393
    Group Policy Preferences will do all of this, but only once it's patched with hotfixes as even the version shipped with Windows 7 doesn't work properly with OU or security group filtering.

    If you're willing to push out the patches and have at least one Vista/7 machine to configure the policies, you could be in business.

  6. Thanks to AngryTechnician from:

    sonofsanta (15th November 2010)

  7. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by AngryTechnician View Post
    Group Policy Preferences will do all of this, but only once it's patched with hotfixes as even the version shipped with Windows 7 doesn't work properly with OU or security group filtering.

    If you're willing to push out the patches and have at least one Vista/7 machine to configure the policies, you could be in business.
    Alas, we are all XP, and my home PC & laptop are both Win7 Home so no joy there either

    Planning to try the groups thing today/Monday, this is all just very frustrating because it is just a logic problem and I should be able to brute force my way through it. Why does reality insist on dirtying up my pristine logical constructs?

  8. #7

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,051
    Thank Post
    275
    Thanked 722 Times in 550 Posts
    Rep Power
    326
    When we were on 2003, the best way we found is to run the script below from a batch file for each PC in the room. This only needs to be run once from your technicians PC and will deploy the printers permanently (unless of course you reimage etc when it needs running again).
    Code:
    @Echo off
    REM this command file will add a network printer to a computer remotely
    
    REM the parameters are:
    
    REM   1 - the name of the computer to which the network printer is to be added
    REM   2 - the UNC name of the printer to be added
    
    REM for example, to add the printer called ThePrinter that is shared from the computer PrintServer
    REM    to the computer called TheClient:
    
    REM  key this command in a Command Prompt window:
    
    REM     addglobalprinterremotely theclient printserver\theprinter
    
    
    REM add the specified printer to the specified computer 
    @Echo On
    rundll32 printui.dll,PrintUIEntry /ga /c\\%1 /n\\%2
    @Echo off
    REM stop the print spooler on the specified computer and wait until the sc command finishes
    @Echo On
    start /wait sc \\%1 stop spooler
    @Echo off
    REM start the print spooler on the specified computer and wait until the sc command finishes
    @Echo On
    start /wait sc \\%1 start spooler

  9. #8

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by teejay View Post
    When we were on 2003, the best way we found is to run the script below from a batch file for each PC in the room. This only needs to be run once from your technicians PC and will deploy the printers permanently (unless of course you reimage etc when it needs running again).
    Bit iffy about the scripting route because it's not as descriptive as AD is, but at this point I'm willing to give anything a go. Can't see anything in the script that would filter the installed printers based on the logged on user though?


    I should add to the general thread as well that I've tried denying student access to the printer, which does stop them printing, but it doesn't stop the printer from appearing in the printer list. If you try and select the error it throws an error, still shows the (incorrectly) selected printer in the drop down but actually sends the job to the last printer selected, which will just cause no end of confusion and complaints from students thinking they should be able to access it - particularly as the error doesn't say access denied, it waffles on about network issues etc.
    So really, need to find a way to hide the printer altogether, or just stop it being added altogether. I'll have an answer soon, I'm sure, it's just finding time to investigate!

  10. #9

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,051
    Thank Post
    275
    Thanked 722 Times in 550 Posts
    Rep Power
    326
    Quote Originally Posted by sonofsanta View Post
    Bit iffy about the scripting route because it's not as descriptive as AD is, but at this point I'm willing to give anything a go. Can't see anything in the script that would filter the installed printers based on the logged on user though?


    I should add to the general thread as well that I've tried denying student access to the printer, which does stop them printing, but it doesn't stop the printer from appearing in the printer list. If you try and select the error it throws an error, still shows the (incorrectly) selected printer in the drop down but actually sends the job to the last printer selected, which will just cause no end of confusion and complaints from students thinking they should be able to access it - particularly as the error doesn't say access denied, it waffles on about network issues etc.
    So really, need to find a way to hide the printer altogether, or just stop it being added altogether. I'll have an answer soon, I'm sure, it's just finding time to investigate!
    If you create a batch file for each room which calls the script above for each machine , for instance:

    call addprinterremotely.cmd machine1 printserver/printer1
    call addprinterremotely.cmd machine2 printserver/printer1
    ....

    All you do then is on the print server set a security group on the colour printer that denies access for all students.
    This really was the easiest and most robust way we found of doing this, wish we could still do this in 2008 R2/W7. It also made it simple if staff wanted students to print in colour for a lesson as you just change the deny access to allow access on the security group.

    Edit: if you deny all on the printer rather than just printing then its shouldn't appear.

  11. Thanks to teejay from:

    sonofsanta (15th November 2010)

  12. #10

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by teejay View Post
    If you create a batch file for each room which calls the script above for each machine , for instance:

    call addprinterremotely.cmd machine1 printserver/printer1
    call addprinterremotely.cmd machine2 printserver/printer1
    ....

    All you do then is on the print server set a security group on the colour printer that denies access for all students.
    This really was the easiest and most robust way we found of doing this, wish we could still do this in 2008 R2/W7. It also made it simple if staff wanted students to print in colour for a lesson as you just change the deny access to allow access on the security group.

    Edit: if you deny all on the printer rather than just printing then its shouldn't appear.
    Seems like the script is doing the same thing as a GPO would, then, and it was the security filtering on the printer that actually prevents students from printing. Which I'm trying to do and having little success with, mystifyingly - with the Domain Local group "All Students" set to Deny on everything listed, applying to printer and documents, it is still showing the printer, it's just denying any action you try to take with it. Which is the effect I want, but with the added risk of students coming and complaining because they think they should be able to print to it. I've even denied Full Control to that group on the GPO and still the printer is visibly added at logon (even after unlinking the GPO, gpupdate, relink, gpupdate, so it is not because the printer is cached in the profile).

    I have time for further experimentation today, so I will try the computer groups approach, but so far I've not made much progress :/ really don't know why deny permissions on the printer aren't stopping this!

    (and thanks added for your help so far, cheers)

  13. #11

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Right, I'm pretty much giving up on doing this with 2k3 GPO's now.

    Trying to apply the GPO to the users and filter with a security group for the computers failed in the same way as before, albeit with the opposite result; adding that printer to all staff and trying to filter to apply to just the computers in one room just adds the printer to all staff, everywhere, all the time.

    So I can filter by location OR by user type but not by both. Rubbish. My 2k8 servers can't come soon enough! (and probably won't come for ages yet if this year's budget is how I'm expecting it to be...)

    Unless anyone has another stunning insight that has escaped me, then, or a way of running GP preferences on a pure 2k3/XP environment... I think I'll just do this with PCounter, by adding the printer twice, forcing one to mono, and setting the colour version to cost 51 credits to print to - thus preventing students from using it. This at least has the advantage of it being an immediate change if a student needs to print colour, without them needing to log off/on again. Disadvanage is they will all see the printer and try and use it and complain when it doesn't work.

    Cheers to those who pitched in, can't believe this has been such a challenge, it seemed so obvious a request when I started working it out!

  14. #12
    SteveBentley's Avatar
    Join Date
    Jun 2007
    Location
    Yorkshire
    Posts
    1,415
    Thank Post
    116
    Thanked 261 Times in 187 Posts
    Rep Power
    71
    Something I did last time we reconfigured the printing was to create two queues for each printer, one the real one and the other a fake (with the same driver) with a more descriptive name. The fake queue has an unconditional forward rule in PCounter to the real printer.

    What this means is that if a printer dies or is replaced, you can change where the fake printer forwards to and it should be seamless to the users.

    You can also then have multiple fakes, with different permissions for different charging levels for staff and students.

    In terms of dishing out printers to machines, this is how we used to do it before 2008

    HTML Code:
    On Error Resume Next
    
    set wshnet = CreateObject("WScript.Network")
    set wshshell = wscript.CreateObject("WScript.Shell")
    
    username = wshnet.userName
    domain = "yourdomain"
    computername = wshnet.computerName
    
    set adsgroup = GetObject("LDAP://ou=staff,dc=ad,dc=you,dc=sch,dc=uk")
    if adsgroup.IsMember("LDAP://cn=" & username & ",ou=staff,dc=you,dc=sch,dc=uk") then
    
    
    wshnet.AddWindowsPrinterConnection "\\server\printershare"
    wshnet.SetDefaultPrinter "\\server\printershare"
    end if
    
    wscript.quit

    The member of stuff works for member of groups as well, although not recursively

    set adsgroup = GetObject("LDAP://cn=staffprinter,ou=staff,dc=you,dc=sch,dc=uk")

  15. Thanks to SteveBentley from:

    sonofsanta (16th November 2010)

  16. #13

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,466
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    I like the idea of fakes with the forwards - that might be easier than a few other ideas I've had. I'm going to sit down and hammer out my logic on this tomorrow and work out how I'm going to do it - I suspect there are a few approaches I could take, I just need to decide which is the cleanest.

    Cheers!

  17. #14

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,054
    Thank Post
    11
    Thanked 204 Times in 198 Posts
    Rep Power
    63
    We use pushprinterconnections but its not brilliant, some sort of VBS script would be better based on computer name.

    If you use PCounter you can put a rule in to disallow colour and allow if for a certain group of users.

    I am based in North East Lincolnshire so if you need anything drop me a line and I will assist.

  18. Thanks to MatthewL from:

    sonofsanta (17th November 2010)

  19. #15

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,215
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    You could have an else section so that if they are not a member of said group then it will loop through and remove all printers or I think you would normally do this before having said chunk of code to check which group(s) they are a member of

  20. Thanks to mac_shinobi from:

    sonofsanta (17th November 2010)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 18th March 2010, 02:45 PM
  2. A3 Colour Printer
    By ICTSM in forum Hardware
    Replies: 2
    Last Post: 24th November 2009, 02:56 PM
  3. Colour Network Printer
    By icttech in forum Windows Server 2000/2003
    Replies: 14
    Last Post: 30th June 2009, 11:35 AM
  4. Local colour printer
    By laserblazer in forum Hardware
    Replies: 10
    Last Post: 16th December 2008, 11:39 AM
  5. What A3 Colour printer
    By Farwell in forum Hardware
    Replies: 5
    Last Post: 9th May 2008, 09:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •