Printers via GPO
I have printers setup through GPO under our 'Staff' Policy which works 100%. What I want to do is disable one printer for a group of 4 members of staff. Whats the easiest way to go around this? Is a batch file for those users the way to go or is there another way?
Thanks in advance,
Security groups? Either those 4 in a group with Deny (should be possible), or everyone else in a group and use Security Filtering on the GPO itself (definitely possible).
The 4 staff are members of the 'Staff' group so it's linked with the 'Staff' GPO they are also members of a second group 'Temp1' that group needs no access to one printer which is applied in the Staff GPO, if that makes more sense?
If the 4 you want to exclude are in a group already then on the security properties of the printer in question, you can always deny them printing rights etc.
Would probably look neater from an end-user perspective to have the other staff groups be members of a DL group that does allow access to the printer, and then filter the GPO - that would stop the printer appearing altogether.
e.g. Science staff are part of the Universal group U - Science Staff
IT staff are similarly U- IT Staff
etc. and add these universal groups to a new domain local group, DL - Super Printer (or whatever is best)
In the printer GPO, on the scope tab, add this DL group to the security filtering section at the bottom, and it will only be pushed out to those people in that group.
OK, how can i deny them printing rights?
I plan this to be just a temporary measure so I don't want to go through changing the structure just yet but I will bear that in mind
You'll have to set the deny up on your print server, not on the GPO. Doing it that way will (i think) still show them the printer, but nothing will print and possibly produce an error message.
On your print server, right click the printer, go to properties, choose the security tab, click the add button, find the group that they are all members of, and add ticks down the deny column for them.
Worth bearing in mind that you don't have to change your OU structure for the other way; you're just creating an extra group for people to be a member of, groups won't affect your OU's at all, they're like an additional layer of grouping on top of that. People in 2 OU's can mix and match between however many groups are necessary, along with machines as well. They're a logical group rather than (for sake of a better word) a physical group such as an OU.
Up to you which you think will be more work in the long run; filtering the GPO might be longer now, but will involve less explanation to panicking staff when they get an error message.
Thanks, works a treat. For future reference the printer does not even show as an option so no error message can occur
Best of both then, easy for you and non-scary for the users :D glad it's all gone to plan.
Originally Posted by james14100