In this issue:
- Your opinion please!
- Windows 2003/R2 Printer Magic
- Get a signed copy of...
- my GP book: Group Policy, Profiles and IntelliMirror
- my Windows & Linux Integration book
- Now Available: Private GP Course in "Less Intensive" format
- Public Group Policy Intensive Training and Workshop Schedule Update
- Subscribe, Unsubscribe, and Usage Information
It's all about more control, baby
This Newsletterâs âbig topicâ is printers, and deploying them via Group Policy. But, before I talk about that, I have to ask you folks a thing or two.
- Do you like these newsletters with one big topic in them?
- Do you like the original format with lots of little questions and lots of little answers?
Send your one word vote of BIG or LITTLE to [email protected]. Or, if you have more than one word to say, you can do that too.
Want to be famous? Iâm working on a project which highlights âcreative usesâ for Group Policy. So, if you think youâve got a special implementation using Group PolicyâI want to hear about it. For instance, one company I know uses Group Policy to lock down PCs as cash-registers. Thatâs cool! Another company I know wrote some sweet custom scripts to automate their entire Group Policy universe. Wow! Thatâs the kind of stuff I want to hear! Or, do you have a special âprocessâ behind your Group Policy that goes beyond the âin the boxâ delegation? Anything neat or coolâspecial implementations are what Iâm looking for. And, like I said, you can have your name in lights (if you so choose).
Give me a paragraph or two on your cool implementation, and what youâre doing that makes your organization unique. Send to[email protected] with a subject line of SPECIAL.
Now, on with the show!
Be sure to read through to the end. Iâve got a gaggle of new dates and cities for the public Group Policy course for the rest of 2006.
Newsletter Sponsored by: DesktopStandard
Provide all of your Windows 2000, XP and Windows 2003 end-users easy access to the correct printers via Group Policy, today!
Configuring printers is one of the essential desktop management tasks for which there is no built-in Windows solution. DesktopStandard's PolicyMaker Standard Edition solves this issue and many others. It includes both Shared Printer policy and TCP/IP Printer policy for managing printer connections. Standard location-based filters allow targeting of print connections so that jobs can automatically print to the most appropriate printer based on where the computer is located.
Click the link to learn more: PolicyMaker Standard Edition
Windows 2003/R2 Printer Magic
Let me guess what one of your biggest headaches is.
Yes, itâs that âlittle thing we donât like talking about much.â But, itâs been on my mind lately, so letâs figure out how we can âDo more with Group Policy!â
Are you one of Microsoftâs customers who is implementing Windows 2003/R2?
Or, are you one of Microsoftâs customers who just read the above line and is saying to themselves, âWhat the heck is Windows 2003/R2?â
Windows 2003/R2 can almost be thought of as âWindows Server 2006.â But thatâs not what itâs called. Itâs Windows 2003/R2. To use âR2â you need to load it upon a Windows 2003 Server with SP1. Then you load the R2 bits, and voila! Youâve got an R2 machine!
R2 has an armload of neat-o new features. And if youâre interested in reading about all the neat-o features it has, read here.
But only one of those features has any Group Policy-related goodness. But, oh friends, it is very good!
Itâs the Print Management Componentâa new add-in that R2 brings to the table. The Print Management component does a LOT of keen-o-rific stuff, like centrally manage almost all aspects of all of the printers on your Windows network. Whatâs not to like about that? And even better, it brings an extra superpower to the table: the ability to deploy printers to users or computers via Group Policy.
ZAAAP! You can just âbeamâ printers down to your mere mortals.
Thatâs right. You can now say âWhenever Sally moves from XPPRO1 to XPPRO12, she keeps her printer mappings.â Or, you can now say: âWhoever sits down at XPPRO5 will get the same printer settings.â
The god-like power you have using Group Policy is truly compelling!
Keen readers of my Group Policy book will note I had a tip (on pages 139-140 of the 3rd edition) about using loopback policy to perform the same idea. That is, by sitting down at any given machine you can dictate the printers. Now, finally, itâs part of the operating system.
Getting ready to perform the magic
Before we can get started with the Print Management Components, we need to perform several steps:
1. Update our Windows 2003 schema to Windows 2003/R2 schema
2a. If we want to use our Windows 2003 server as the place where we perform our printer management, we need to load the Print Management Component on our Windows 2003 machine.
2b. If we want to use an Windows XP machine as the place where we perform our printer management, we need to load the Adminpak for R2 tools on our management station.
Updating the schema and installing R2
Updating the schema is likely the hardest part of the job, because youâll need approval from your Active Directory big-wigs that this is an OK procedure to do. Once you have approval, this operation is best performed directly upon the Schema Master in your domain.
The reason for the schema upgrade is that to-printer connection objects get a new âfast queryâ lookup via LDAP in Active Directory. This way, the Print Management Console (which weâll explore in a bit) doesnât have to inspect every GPO in the domain to figure out where printers are currently deployed.
Just pop in the R2 media. You are then presented with the option to âContinue Windows Server 2003 R2 Setup.â If you click that, however, you get the message seen below.
Figure 1: In order to upgrade Windows 2003 to R2, the schema must be upgraded. (Click image for larger view)
The dialog box says it all. In short, you need to run the command adprep /forestprep which is located in the R2 CD-ROM in the cmpnentsr2adprep directory.
Figure 2: Once you press âCâ to continue, your schema will be upgraded to the R2 schema.(Click image for larger view)
From here, weâll assume you want to test drive this on your Windows 2003 Server and upgrade it to R2. Weâll also assume that you want to manage your printers from there (as opposed to an Windows XP management station).
Once the schema update has been performed, you can then run the âR2Auto.exeâ on the root of the R2 CD-ROM and select to âContinue Windows Server 2003 R2 Setup.â At this point, you may be informed that you have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select âYes.â Once you do, youâll be at the âR2 Setup Wizard.â The Wizard is self-explanatory.
Installing the Print Management Components
Next on the docket is loading the Print Management Component. Again, this is a comprehensive tool which allows you to manage many facets of your printer universe. To load the Print Management Component, go to Add/Remove Programs | Windows Components | Management and Monitoring tools and select Print Management Component, as seen below.
Figure 3: You can load the Print Management Console components into a Windows 2003/R2 server.
Note that next time the (annoying) Configure Your Server Wizard appears, youâll see that itâs been installed as seen here:
Figure 4: The Configure Your Server Wizard now has a new option. (Click image for larger view)
Now that the Print Management Components are loaded, youâre ready to deploy printers to either your users or your computers. You can do this âby handâ using the regular Group Policy editor snap-in, or using the tools provided in the Print Management console.
Deploying printers using GPOs
Letâs deploy printers by hand first using the Group Policy editor, then weâll move on to the Print Management console.
First step: Define Deployed Printers
To zap a printer down to your users or computers, you start out by creating a GPO and linking it to an OU containing either users or computers. Say, the Sales Users OU.
When you edit your next GPO, youâll see a âDeployed Printersâ node in both the computer and user half of the GPO along with a new Action called âDeploy Printerâ in the Action menu as seen below.
Figure 5: Youâll be able to manage printers directly within the Group Policy Object editor (Click image for larger view)
Note that if you donât see the âDeployed Printers nodeâ, itâs likely that you donât have the updated Adminpak tools on your management station (the computer from which youâre editing this GPO). To get the latest tools, get the R2 Adminpak here. Note that it isnât âone big .msiâ like Adminpak.msi. Rather this is a collection of smaller files for specific updated components like the Print Console.
Once you select User Configuration | Deployed Printers | Deploy Printers (as seen in Figure 5 ) or Computer Configuration | Deployed Printers | Deploy Printers, youâll be ready to blast new printer assignments down. Just type serverprinter into the âEnter printer nameâ dialog (shown below), click Add, and youâre done.
Figure 6: Enter the UNC path of the printer you want to push. (Click image for larger view)
Or are you? Hereâs where the going gets tough. That is, just when you think youâve got it super-easy, you need to go the last mile of this journey manually. All youâve done right now is define which printer the folks affected by this GPO should get. But now you need to actually tell them to get it. That trick is done through a little executable program that you have to kick off via Login script (for printers assigned to users) or Startup script (for printers assigned to computers).
Second Step: Assign the PushPrinterConnections executable
The âmoving partâ to make the printer assignment is a little .exe called pushprinterconnections.exe. If youâre deploying printers to users, the .exe needs to be run in the userâs Login Script. If youâre deploying printers to computers, it needs to be run in the computerâs Startup Script.
The pushprinterconnections.exe gets placed on your R2 server in the windowsPMCSnap directory along with some other bits associated with the Print Management console (which weâll talk about in a minute). You can see that here.
Figure 7: Youâll need to copy the pushprinterconnections.exe to each GPOâs script container. (Click image for larger view)
The key point is that the location where it starts out isnât the location where you need to run it from. Your job is to take the file and plunk it directly into the GPO itself. Here are the rough steps to do this:
- While editing the GPO, drill down to the script type (User Login, or Computer Startup).
- Click the Show Files button.
- Copy the pushprinterconnections.exe into the window that opens up.
- Back at the properties of the script, click Add, locate and select the pushprinterconnections.exe file.
- Click OK
Figure 8: Call the pushprinterconnections.exe from directly within the scripts portion of the GPO. (Click image for larger view)
Note: If you want to enable troubleshooting logging information, type âlog in the Script Parameters box. A per-user debug log file will be written to %temp%. A per-machine debug log will be written to %windir%temp. (Note that these are totally different directories.) Itâs worth noting that you shouldnât use the âlog parameter in a production environmentâyou wouldnât want the utility filling up your client machine hard disks with megabytes of log files.
A quick âfuture lookingâ note about Vista. This utility isnât required for Vista. The ability to push down printer connections is built in.
So, the first thing that PushPrinterConnections.exe does when you run it is to check if it is running on Windows Vista. If it is running on a Vista machine, the utility exits without doing anything. So network administrators donât have to worry if they accidentally push out the pushprinterconnections.exe utility down to Windows Vista clients.
At this point, you should see goodness when you log in as the user or restart the computer. Note that these printers wonât âchangeâ during background refresh after youâre already logged in. Thatâs because the pushprinterconnections.exe only runs at login or startup.
Figure 9: Success on an Windows XP machine! (Click image for larger view)
The easier way to do it (sort of)
We just deployed printers to our users or computers by hand using the Group Policy editor. However, thereâs an alternate method: using the Print Management Console. The Print Management Console gives a âone stop shop viewâ of printers deployed via GPOs. In this list, you can see each of my printers (HPLaser1 and HPLaser2) and which GPOs theyâre being dictated in, and which sideâuser or computerâis being forced.
Figure 10: The Deployed Printers node in the Print Management Console âhunts downâ GPOs which are using the Deployed Printers feature. (Click image for larger view) However, the Print Management Console has another trick up its sleeve: the ability to zap printers directly by creating GPOs of its own.
Using the Print Management Console, just drill down to Print Management | Custom Printer Filters | All Printers, locate the printer you want to zap down to a computer or user, and select âDeploy with Group Policyâ, as shown below.
Figure 11: You can see any printer in the Print Management Console and zap it down using Group Policy. (Click image for larger view) With no disrespect to the designers of R2, this is where it starts to get a little bit difficult to work with. It starts out innocently enough as you can see in the âDeploy with Group Policyâ dialog box below.
Figure 12: The interface for deploying printers via GPOs using the Print Management Console. (Click image for larger view)
The interface from here on out is, well, almost a throwback to pre-GPMC daysÃ¢â¬Â¦and we all hated those days. But thatâs the interface we have here after we perform our next step.
The idea here is to click Browse and either find a GPO you happen to know is linked to a Site, Domain, or OU (because, of course, you have that memorized) or drill down into an OU and choose to create a new GPO thatâs linked to the level you drilled down to. You can see this in Figure 13.
Figure 13: Click to create a new GPO to affect your target OU. (Click image for larger view)
And, of course, you all knew that an icon of two people with a little star over their heads means âCreate a new GPO and link it here.â Right? (Maybe not.) Thankfully, the tooltip tells the tale of the inexplicable icon.
Once youâve created the GPO and linked it, itâs time to deploy the printer. Here you select which side of the house you want to deploy to: users, computers, or both. In my case, Iâm deploying to Nurse Users, so Iâm choosing users.
Now, hereâs where you gotta stay with meâso Iâve numbered the steps like a âfollow the bouncing ball.â Before I reveal these steps, I want to confess that I tried this procedure no less than 5 times before I finally figured it out.
Figure 14: Steps to deploy a printer using this dialog. (Click image for larger view)
Why did I go though the painstaking trouble to number the steps and show you exactly where to click? Because the procedure is to:
- Choose the user and/or computer side of things.
- Click the Add button.
- Then click OK
In short, I kept missing the ADD button and was driving myself completely nuts! I think I was missing it because âAddâ is ever-so-slightly higher in the dialog than the checkboxes, and my brain thought âWhy would I need to click here? I should just click OK and be done.â But my brain was wrong. Learn from my brain.
Hereâs the trick: Deploying printers via the Print Management Console doesnât do 100% of the required steps. That is, while it puts the printer in place in the Deployed Printers node, it doesnât jam the pushprinterconnections.exe into the Logon Script or Startup Script. this means you have to go back in, via the GPMC, edit the GPO, and jam in the pushprinterconnections.exe (basically, what I showed you in the first part of the article). Frustrating? A little, but now you know what you have to do!
If Iâm missing something here, dear readers, donât be shy. Itâs a mystery to me why this whiz-bang Print Management console only does half the job while using the âDeploy with Group Policyâ feature.
Clearly, this ability to zap printers down to either users or computers is a nice leap forward. But, the bad news is subtle: That is, this new magic isnât built on the client-side extension goodness that IS Group Policy. Rather, this is a little hack that Microsoft put together to zap printers down to users. What Iâd like to see is the ability for users to get a changed GPO, and have the printers change on the fly with the background refresh interval. Itâs not there yet, but appears to be coming soon with Vista.
One more note about all this before we move on:
- Windows 2000 machines only support per-user printer connections.
- Windows XP or Windows 2003 support per-user or per-computer printer connections.
Finally, if you want to learn more about the Print Management Console for the other goodies it brings to the table, be sure to read the âPrint Management Step-by-Step Guide for Windows Server 2003 R2â found here.
Get signed copies of...
Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)
Windows & Linux Integration: Hands on Solutions for a Mixed Environment
Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.
Order your signed copy today by clicking here.
Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.
Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)
Now Available: Private GP Course in "Less Intensive" format
Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a "Less Intensive" format.
Your wish has been granted!
This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.
This "three-day Less Intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course.
Public Group Policy Intensive Training and Workshop Schedule Update
I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directoryânow DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class!
Classes for remainder of 2006:
Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.
Here's hoping you'll take advantage of the opportunity!
Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)
Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!
If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japanâor wherever! Have passport, will travel!
Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!
Here's a testimonial from someone at a major upscale jewelry retailer who said his knowledge of Group Policy helped him and his SMS team be more efficient all around.
Jeremy, We actually use the SMS+ZTI (Zero Touch Installation) scripts you talked about in your last two newsletters. For us, we could only be successful with SMS+ZTI in conjunction with Group Policy settings -- a lot of which you taught. I made a Staging OU and redirected all new systems which get added to the domain to this new OU. The GPOs for this OU are quite restrictive. It makes the machine basically unusable. Heck, I make sure theyâre presented with POPUPS which instruct users to call the help center if they get the popup message. This forces our deployment team to move the machine to a correctly managed OU. Some additional things that have accomplished via Group Policy since your class:
So yes, your class was very helpful in getting me on my way. I can only hope it helped other administrators âsee the lightâ like I did! Thanks, Jeremy!
- Our new laptops come with Wireless cards. But, I needed to make sure they are initially disabled. Then, only turned on for the ârightâ people -- if you know what I mean. I created a wireless access GPO that disables the wireless service from starting (and removed administrators from enabling it as some extra protection.) I also used a technique in your class to guarantee who gets Wireless turned on, and who doesnât. So now when we want to enable the access itâs just a quick change!
- I set up Restricted Groups for different OUâs. This helped with Sarbanes Oxleyâs local admin requirements. Using a MOF through SMS we now report who has local admin rights.
- We implemented Microsoft Live Communicator â through Group Policy we restrict the settings.
At GPanswers.com, we want to welcome the following sponsors to the Solutions Guide:
- FullArmor Corporation
- Smartline, inc.
Be sure to check out their cool tools and all other vendor's tools at the Solutions Guide.
Subscribe, Unsubscribe, and Usage Information
If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.
Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).
For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter
You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.
While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] I endeavor to respond to everyone who emails.
Thanks for reading!