View Blog

Apr 2006

In this issue:

  • Your opinion please!
  • Windows 2003/R2 Printer Magic
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Now Available: Private GP Course in "Less Intensive" format
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Subscribe, Unsubscribe, and Usage Information

It's all about more control, baby

This Newsletter’s “big topic” is printers, and deploying them via Group Policy. But, before I talk about that, I have to ask you folks a thing or two.

Thing #1:

  • Do you like these newsletters with one big topic in them?


  • Do you like the original format with lots of little questions and lots of little answers?

Send your one word vote of BIG or LITTLE to [email protected]. Or, if you have more than one word to say, you can do that too.

Thing #2:

Want to be famous? I’m working on a project which highlights “creative uses” for Group Policy. So, if you think you’ve got a special implementation using Group Policy—I want to hear about it. For instance, one company I know uses Group Policy to lock down PCs as cash-registers. That’s cool! Another company I know wrote some sweet custom scripts to automate their entire Group Policy universe. Wow! That’s the kind of stuff I want to hear! Or, do you have a special “process” behind your Group Policy that goes beyond the “in the box” delegation? Anything neat or cool—special implementations are what I’m looking for. And, like I said, you can have your name in lights (if you so choose).

Give me a paragraph or two on your cool implementation, and what you’re doing that makes your organization unique. Send to[email protected] with a subject line of SPECIAL.

Now, on with the show!

Be sure to read through to the end. I’ve got a gaggle of new dates and cities for the public Group Policy course for the rest of 2006.

Newsletter Sponsored by: DesktopStandard

Provide all of your Windows 2000, XP and Windows 2003 end-users easy access to the correct printers via Group Policy, today!

Configuring printers is one of the essential desktop management tasks for which there is no built-in Windows solution. DesktopStandard's PolicyMaker Standard Edition solves this issue and many others. It includes both Shared Printer policy and TCP/IP Printer policy for managing printer connections. Standard location-based filters allow targeting of print connections so that jobs can automatically print to the most appropriate printer based on where the computer is located.

Click the link to learn more: PolicyMaker Standard Edition

Windows 2003/R2 Printer Magic

Let me guess what one of your biggest headaches is.


Yes, it’s that “little thing we don’t like talking about much.” But, it’s been on my mind lately, so let’s figure out how we can “Do more with Group Policy!”

Are you one of Microsoft’s customers who is implementing Windows 2003/R2?

Or, are you one of Microsoft’s customers who just read the above line and is saying to themselves, “What the heck is Windows 2003/R2?”

Windows 2003/R2 can almost be thought of as “Windows Server 2006.” But that’s not what it’s called. It’s Windows 2003/R2. To use “R2” you need to load it upon a Windows 2003 Server with SP1. Then you load the R2 bits, and voila! You’ve got an R2 machine!

R2 has an armload of neat-o new features. And if you’re interested in reading about all the neat-o features it has, read here.

But only one of those features has any Group Policy-related goodness. But, oh friends, it is very good!

It’s the Print Management Component—a new add-in that R2 brings to the table. The Print Management component does a LOT of keen-o-rific stuff, like centrally manage almost all aspects of all of the printers on your Windows network. What’s not to like about that? And even better, it brings an extra superpower to the table: the ability to deploy printers to users or computers via Group Policy.

ZAAAP! You can just “beam” printers down to your mere mortals.

That’s right. You can now say “Whenever Sally moves from XPPRO1 to XPPRO12, she keeps her printer mappings.” Or, you can now say: “Whoever sits down at XPPRO5 will get the same printer settings.”

The god-like power you have using Group Policy is truly compelling!

Keen readers of my Group Policy book will note I had a tip (on pages 139-140 of the 3rd edition) about using loopback policy to perform the same idea. That is, by sitting down at any given machine you can dictate the printers. Now, finally, it’s part of the operating system.

Getting ready to perform the magic

Before we can get started with the Print Management Components, we need to perform several steps:

1. Update our Windows 2003 schema to Windows 2003/R2 schema

2a. If we want to use our Windows 2003 server as the place where we perform our printer management, we need to load the Print Management Component on our Windows 2003 machine.
2b. If we want to use an Windows XP machine as the place where we perform our printer management, we need to load the Adminpak for R2 tools on our management station.

Updating the schema and installing R2

Updating the schema is likely the hardest part of the job, because you’ll need approval from your Active Directory big-wigs that this is an OK procedure to do. Once you have approval, this operation is best performed directly upon the Schema Master in your domain.

The reason for the schema upgrade is that to-printer connection objects get a new “fast query” lookup via LDAP in Active Directory. This way, the Print Management Console (which we’ll explore in a bit) doesn’t have to inspect every GPO in the domain to figure out where printers are currently deployed.

Just pop in the R2 media. You are then presented with the option to “Continue Windows Server 2003 R2 Setup.” If you click that, however, you get the message seen below.


Figure 1: In order to upgrade Windows 2003 to R2, the schema must be upgraded. (Click image for larger view)

The dialog box says it all. In short, you need to run the command adprep /forestprep which is located in the R2 CD-ROM in the cmpnentsr2adprep directory.

Figure 2: Once you press ‘C’ to continue, your schema will be upgraded to the R2 schema.(Click image for larger view)

From here, we’ll assume you want to test drive this on your Windows 2003 Server and upgrade it to R2. We’ll also assume that you want to manage your printers from there (as opposed to an Windows XP management station).

Once the schema update has been performed, you can then run the “R2Auto.exe” on the root of the R2 CD-ROM and select to “Continue Windows Server 2003 R2 Setup.” At this point, you may be informed that you have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select “Yes.” Once you do, you’ll be at the “R2 Setup Wizard.” The Wizard is self-explanatory.  

Installing the Print Management Components

Next on the docket is loading the Print Management Component. Again, this is a comprehensive tool which allows you to manage many facets of your printer universe. To load the Print Management Component, go to Add/Remove Programs | Windows Components | Management and Monitoring tools and select Print Management Component, as seen below.

Figure 3: You can load the Print Management Console components into a Windows 2003/R2 server.

Note that next time the (annoying) Configure Your Server Wizard appears, you’ll see that it’s been installed as seen here:

Figure 4: The Configure Your Server Wizard now has a new option. (Click image for larger view)

Now that the Print Management Components are loaded, you’re ready to deploy printers to either your users or your computers. You can do this “by hand” using the regular Group Policy editor snap-in, or using the tools provided in the Print Management console.

Deploying printers using GPOs

Let’s deploy printers by hand first using the Group Policy editor, then we’ll move on to the Print Management console.  

First step: Define Deployed Printers

To zap a printer down to your users or computers, you start out by creating a GPO and linking it to an OU containing either users or computers. Say, the Sales Users OU.

When you edit your next GPO, you’ll see a “Deployed Printers” node in both the computer and user half of the GPO along with a new Action called “Deploy Printer” in the Action menu as seen below.

Figure 5: You’ll be able to manage printers directly within the Group Policy Object editor (Click image for larger view)

Note that if you don’t see the “Deployed Printers node”, it’s likely that you don’t have the updated Adminpak tools on your management station (the computer from which you’re editing this GPO). To get the latest tools, get the R2 Adminpak here. Note that it isn’t “one big .msi” like Adminpak.msi. Rather this is a collection of smaller files for specific updated components like the Print Console.

Once you select User Configuration | Deployed Printers | Deploy Printers (as seen in Figure 5 ) or Computer Configuration | Deployed Printers | Deploy Printers, you’ll be ready to blast new printer assignments down. Just type serverprinter into the “Enter printer name” dialog (shown below), click Add, and you’re done.

Figure 6: Enter the UNC path of the printer you want to push. (Click image for larger view)

Or are you? Here’s where the going gets tough. That is, just when you think you’ve got it super-easy, you need to go the last mile of this journey manually. All you’ve done right now is define which printer the folks affected by this GPO should get. But now you need to actually tell them to get it. That trick is done through a little executable program that you have to kick off via Login script (for printers assigned to users) or Startup script (for printers assigned to computers).

Second Step: Assign the PushPrinterConnections executable

The “moving part” to make the printer assignment is a little .exe called pushprinterconnections.exe. If you’re deploying printers to users, the .exe needs to be run in the user’s Login Script. If you’re deploying printers to computers, it needs to be run in the computer’s Startup Script.

The pushprinterconnections.exe gets placed on your R2 server in the windowsPMCSnap directory along with some other bits associated with the Print Management console (which we’ll talk about in a minute). You can see that here.

Figure 7: You’ll need to copy the pushprinterconnections.exe to each GPO’s script container. (Click image for larger view)

The key point is that the location where it starts out isn’t the location where you need to run it from. Your job is to take the file and plunk it directly into the GPO itself. Here are the rough steps to do this:

  1. While editing the GPO, drill down to the script type (User Login, or Computer Startup).
  2. Click the Show Files button.
  3. Copy the pushprinterconnections.exe into the window that opens up.
  4. Back at the properties of the script, click Add, locate and select the pushprinterconnections.exe file.
  5. Click OK

Figure 8: Call the pushprinterconnections.exe from directly within the scripts portion of the GPO. (Click image for larger view)

Note: If you want to enable troubleshooting logging information, type –log in the Script Parameters box. A per-user debug log file will be written to %temp%. A per-machine debug log will be written to %windir%temp. (Note that these are totally different directories.) It’s worth noting that you shouldn’t use the –log parameter in a production environment—you wouldn’t want the utility filling up your client machine hard disks with megabytes of log files.

A quick “future looking” note about Vista. This utility isn’t required for Vista. The ability to push down printer connections is built in.

So, the first thing that PushPrinterConnections.exe does when you run it is to check if it is running on Windows Vista. If it is running on a Vista machine, the utility exits without doing anything. So network administrators don’t have to worry if they accidentally push out the pushprinterconnections.exe utility down to Windows Vista clients.

The results!

At this point, you should see goodness when you log in as the user or restart the computer. Note that these printers won’t “change” during background refresh after you’re already logged in. That’s because the pushprinterconnections.exe only runs at login or startup.

Figure 9: Success on an Windows XP machine! (Click image for larger view)

The easier way to do it (sort of)

We just deployed printers to our users or computers by hand using the Group Policy editor. However, there’s an alternate method: using the Print Management Console. The Print Management Console gives a “one stop shop view” of printers deployed via GPOs. In this list, you can see each of my printers (HPLaser1 and HPLaser2) and which GPOs they’re being dictated in, and which side—user or computer—is being forced.

Figure 10: The Deployed Printers node in the Print Management Console “hunts down” GPOs which are using the Deployed Printers feature. (Click image for larger view) However, the Print Management Console has another trick up its sleeve: the ability to zap printers directly by creating GPOs of its own.

Using the Print Management Console, just drill down to Print Management | Custom Printer Filters | All Printers, locate the printer you want to zap down to a computer or user, and select “Deploy with Group Policy”, as shown below.

Figure 11: You can see any printer in the Print Management Console and zap it down using Group Policy. (Click image for larger view) With no disrespect to the designers of R2, this is where it starts to get a little bit difficult to work with. It starts out innocently enough as you can see in the “Deploy with Group Policy” dialog box below.

Figure 12: The interface for deploying printers via GPOs using the Print Management Console. (Click image for larger view)

The interface from here on out is, well, almost a throwback to pre-GPMC days…and we all hated those days. But that’s the interface we have here after we perform our next step.

The idea here is to click Browse and either find a GPO you happen to know is linked to a Site, Domain, or OU (because, of course, you have that memorized) or drill down into an OU and choose to create a new GPO that’s linked to the level you drilled down to. You can see this in Figure 13.

Figure 13: Click to create a new GPO to affect your target OU. (Click image for larger view)

And, of course, you all knew that an icon of two people with a little star over their heads means “Create a new GPO and link it here.” Right? (Maybe not.) Thankfully, the tooltip tells the tale of the inexplicable icon.

Once you’ve created the GPO and linked it, it’s time to deploy the printer. Here you select which side of the house you want to deploy to: users, computers, or both. In my case, I’m deploying to Nurse Users, so I’m choosing users.

Now, here’s where you gotta stay with me—so I’ve numbered the steps like a “follow the bouncing ball.” Before I reveal these steps, I want to confess that I tried this procedure no less than 5 times before I finally figured it out.

Figure 14: Steps to deploy a printer using this dialog. (Click image for larger view)

Why did I go though the painstaking trouble to number the steps and show you exactly where to click? Because the procedure is to:

  1. Choose the user and/or computer side of things.
  2. Click the Add button.
  3. Then click OK

In short, I kept missing the ADD button and was driving myself completely nuts! I think I was missing it because “Add” is ever-so-slightly higher in the dialog than the checkboxes, and my brain thought “Why would I need to click here? I should just click OK and be done.” But my brain was wrong. Learn from my brain.

Here’s the trick: Deploying printers via the Print Management Console doesn’t do 100% of the required steps. That is, while it puts the printer in place in the Deployed Printers node, it doesn’t jam the pushprinterconnections.exe into the Logon Script or Startup Script. this means you have to go back in, via the GPMC, edit the GPO, and jam in the pushprinterconnections.exe (basically, what I showed you in the first part of the article). Frustrating? A little, but now you know what you have to do!

If I’m missing something here, dear readers, don’t be shy. It’s a mystery to me why this whiz-bang Print Management console only does half the job while using the “Deploy with Group Policy” feature.

Final thoughts

Clearly, this ability to zap printers down to either users or computers is a nice leap forward. But, the bad news is subtle: That is, this new magic isn’t built on the client-side extension goodness that IS Group Policy. Rather, this is a little hack that Microsoft put together to zap printers down to users. What I’d like to see is the ability for users to get a changed GPO, and have the printers change on the fly with the background refresh interval. It’s not there yet, but appears to be coming soon with Vista.

One more note about all this before we move on:

  • Windows 2000 machines only support per-user printer connections.
  • Windows XP or Windows 2003 support per-user or per-computer printer connections.

Finally, if you want to learn more about the Print Management Console for the other goodies it brings to the table, be sure to read the “Print Management Step-by-Step Guide for Windows Server 2003 R2” found here.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)


Windows & Linux Integration: Hands on Solutions for a Mixed Environment

  Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here: (GPO book) (WinLin book)  

Now Available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day Less Intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for remainder of 2006:

  June 7–8: Austin, TX (by popular demand!)
July 11–12: Denver, CO
Aug 23–24: Phoenix, AZ
Oct 24–25: Portland, OR
Nov 21–22: Seattle, WA

Why THESE cities? Because people used the "Suggest a city" form at and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at:
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at:
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Here's a testimonial from someone at a major upscale jewelry retailer who said his knowledge of Group Policy helped him and his SMS team be more efficient all around.

Jeremy, We actually use the SMS+ZTI (Zero Touch Installation) scripts you talked about in your last two newsletters. For us, we could only be successful with SMS+ZTI in conjunction with Group Policy settings -- a lot of which you taught. I made a Staging OU and redirected all new systems which get added to the domain to this new OU. The GPOs for this OU are quite restrictive. It makes the machine basically unusable. Heck, I make sure they’re presented with POPUPS which instruct users to call the help center if they get the popup message. This forces our deployment team to move the machine to a correctly managed OU. Some additional things that have accomplished via Group Policy since your class:
  • Our new laptops come with Wireless cards. But, I needed to make sure they are initially disabled. Then, only turned on for the “right” people -- if you know what I mean. I created a wireless access GPO that disables the wireless service from starting (and removed administrators from enabling it as some extra protection.) I also used a technique in your class to guarantee who gets Wireless turned on, and who doesn’t. So now when we want to enable the access it’s just a quick change!
  • I set up Restricted Groups for different OU’s. This helped with Sarbanes Oxley’s local admin requirements. Using a MOF through SMS we now report who has local admin rights.
  • We implemented Microsoft Live Communicator – through Group Policy we restrict the settings.
So yes, your class was very helpful in getting me on my way. I can only hope it helped other administrators “see the light” like I did! Thanks, Jeremy!

Sponsor Update

At, we want to welcome the following sponsors to the Solutions Guide:

  • FullArmor Corporation
  • Smartline, inc.

Be sure to check out their cool tools and all other vendor's tools at the Solutions Guide.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Comments (0)

No Comments!