| Author | Messages | |
kcnychief
Posts:0
 | | 03/06/2009 3:00 PM |
| I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| Syspro
Posts:0
| | 03/06/2009 3:46 PM |
| Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| kcnychief
Posts:0
| | 03/07/2009 9:05 AM |
| Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| kcnychief
Posts:0
| | 03/07/2009 9:16 AM |
| Sorry to reply to my reply, but wanted to point out that I'm running the
printer mapping under the user context since access to printers are
controlled by Security Groups and local system wouldn't have access to it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 8:58 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| Darren
Posts:103
| | 03/07/2009 10:58 AM |
| Derek-
This is an interesting problem because my assumption would be that by using
the user context, the driver installation would fail. But I would not guess
that you would have to use user context in order for the group-based
item-level targeting to work because that should be independent of the
driver installation. However this does point out an interesting question.
What I would suggest is that you start by looking in the Operational Logs
for Group Policy in the Event Viewer. They are under Applications and
Services Logs\Microsoft\Windows\Group Policy. See if you see any errors
related to GP processing in there as a place to start. The other thing you
might want to do is to download the ADMX files that are specific to GPP
logging and enable the Printers Policy Logging, as shown below, on one or
more target systems. When you load up the ADMX and ADML file for GPP
(downloadable from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=927f
c7e3-853c-410a-acb5-9062c76142fa . Choose the preferences.msi file) it will
appear under Computer Config\Admin Templates\System\Group Policy\Logging and
Tracing
That will probably point the way or at least give you a hint as to what is
going on.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 6:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Sorry to reply to my reply, but wanted to point out that I'm running the
printer mapping under the user context since access to printers are
controlled by Security Groups and local system wouldn't have access to it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 8:58 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| Syspro
Posts:0
| | 03/07/2009 4:25 PM |
| Hi Derek,
Darren's information is spot on. Once you have enabled the policy and got
the trace logs, you may find them a little difficult to read. As I
mentioned, my Policy Log Reporter software will load the trace and display
it in a more meaningful way. If you give it a go, I would appreciate
feedback on how useful you found it and any improvements you can suggest.
Alternatively/as well, I would appreciate it if you would send me the trace
so I can also see how well my software handles it.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, 8 March 2009 2:52 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Derek-
This is an interesting problem because my assumption would be that by using
the user context, the driver installation would fail. But I would not guess
that you would have to use user context in order for the group-based
item-level targeting to work because that should be independent of the
driver installation. However this does point out an interesting question.
What I would suggest is that you start by looking in the Operational Logs
for Group Policy in the Event Viewer. They are under Applications and
Services Logs\Microsoft\Windows\Group Policy. See if you see any errors
related to GP processing in there as a place to start. The other thing you
might want to do is to download the ADMX files that are specific to GPP
logging and enable the Printers Policy Logging, as shown below, on one or
more target systems. When you load up the ADMX and ADML file for GPP
(downloadable from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=927f
c7e3-853c-410a-acb5-9062c76142fa . Choose the preferences.msi file) it will
appear under Computer Config\Admin Templates\System\Group Policy\Logging and
Tracing
That will probably point the way or at least give you a hint as to what is
going on.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 6:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Sorry to reply to my reply, but wanted to point out that I'm running the
printer mapping under the user context since access to printers are
controlled by Security Groups and local system wouldn't have access to it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 8:58 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| kcnychief
Posts:0
| | 03/07/2009 8:38 PM |
| Thanks Alan and Darren, I'm interested to get this resolved. I installed
preferences.msi from the link provided, but don't seem to have the Logging
and Tracing Entry -
I don't know if I'm looking in the wrong place, but that is the default
domain policy for our domain. I did also download the 2008 ADMX files and
installed those, no change.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Saturday, March 07, 2009 4:19 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
Darren's information is spot on. Once you have enabled the policy and got
the trace logs, you may find them a little difficult to read. As I
mentioned, my Policy Log Reporter software will load the trace and display
it in a more meaningful way. If you give it a go, I would appreciate
feedback on how useful you found it and any improvements you can suggest.
Alternatively/as well, I would appreciate it if you would send me the trace
so I can also see how well my software handles it.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, 8 March 2009 2:52 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Derek-
This is an interesting problem because my assumption would be that by using
the user context, the driver installation would fail. But I would not guess
that you would have to use user context in order for the group-based
item-level targeting to work because that should be independent of the
driver installation. However this does point out an interesting question.
What I would suggest is that you start by looking in the Operational Logs
for Group Policy in the Event Viewer. They are under Applications and
Services Logs\Microsoft\Windows\Group Policy. See if you see any errors
related to GP processing in there as a place to start. The other thing you
might want to do is to download the ADMX files that are specific to GPP
logging and enable the Printers Policy Logging, as shown below, on one or
more target systems. When you load up the ADMX and ADML file for GPP
(downloadable from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=927f
c7e3-853c-410a-acb5-9062c76142fa . Choose the preferences.msi file) it will
appear under Computer Config\Admin Templates\System\Group Policy\Logging and
Tracing
That will probably point the way or at least give you a hint as to what is
going on.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 6:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Sorry to reply to my reply, but wanted to point out that I'm running the
printer mapping under the user context since access to printers are
controlled by Security Groups and local system wouldn't have access to it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 8:58 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| Darren
Posts:103
| | 03/08/2009 1:04 PM |
| Where did you install the ADMX and ADML files? Just running the MSI doesn't
get you all the way. You actually need to copy the ADMX files from
C:\program files\Microsoft Group Policy\Preferences\PolicyDefinitions into
c:\windows\policydefinitions (or into SYSVOL if you are using the Central
Store) and the ADML files into c:\windows\policydefinitions\en-us (assuming
you are using US English Windows).
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 5:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks Alan and Darren, I'm interested to get this resolved. I installed
preferences.msi from the link provided, but don't seem to have the Logging
and Tracing Entry -
I don't know if I'm looking in the wrong place, but that is the default
domain policy for our domain. I did also download the 2008 ADMX files and
installed those, no change.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Saturday, March 07, 2009 4:19 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
Darren's information is spot on. Once you have enabled the policy and got
the trace logs, you may find them a little difficult to read. As I
mentioned, my Policy Log Reporter software will load the trace and display
it in a more meaningful way. If you give it a go, I would appreciate
feedback on how useful you found it and any improvements you can suggest.
Alternatively/as well, I would appreciate it if you would send me the trace
so I can also see how well my software handles it.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, 8 March 2009 2:52 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Derek-
This is an interesting problem because my assumption would be that by using
the user context, the driver installation would fail. But I would not guess
that you would have to use user context in order for the group-based
item-level targeting to work because that should be independent of the
driver installation. However this does point out an interesting question.
What I would suggest is that you start by looking in the Operational Logs
for Group Policy in the Event Viewer. They are under Applications and
Services Logs\Microsoft\Windows\Group Policy. See if you see any errors
related to GP processing in there as a place to start. The other thing you
might want to do is to download the ADMX files that are specific to GPP
logging and enable the Printers Policy Logging, as shown below, on one or
more target systems. When you load up the ADMX and ADML file for GPP
(downloadable from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=927f
c7e3-853c-410a-acb5-9062c76142fa . Choose the preferences.msi file) it will
appear under Computer Config\Admin Templates\System\Group Policy\Logging and
Tracing
That will probably point the way or at least give you a hint as to what is
going on.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 6:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Sorry to reply to my reply, but wanted to point out that I'm running the
printer mapping under the user context since access to printers are
controlled by Security Groups and local system wouldn't have access to it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 8:58 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks - I was having a little bit of trouble figuring out what the
create/update/replace actually did. Can you point me in the right direction
of viewing the logs for GPP?
I know by default, the standard user I tried to login with to test would not
be able to install the printer drivers since they would be presented with a
UAC prompt and require an account with elevated privileges. I'm assuming
that is the problem - and wondering if I can stage the drivers or push them
out some how? I was looking at the Vista Point and Print, but need to read
that over a little more to see if that will fix my issue with this. My
guess atm is that it has to do with the driver not getting installed for
lack of privileges.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Friday, March 06, 2009 3:40 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Hi Derek,
"Create" means "Create if it does not exist, otherwise do nothing"
"Update" means "Create if it does not exist, otherwise reapply the settings"
"Replace" means "Delete it and recreate it"
As to performance, I have found the performance to be pretty snappy, i.e
seconds at most. If you are getting a 30 minute delay it is probably related
to problems installing the printer driver. Darren would advise that you look
at the event logging for Group Policy Processing to see where the delay is,
I would recommend that you activate verbose logging and use my Policy Log
Reporter software to see what is going on!
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, 7 March 2009 6:55 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] GPP and Printers based on Security Group
I am working on deploying Group Policy Preferences, and did a test to
install a printer based on the user security group membership. The first
question I had, was if I should do a create or update since the same queue
exists but needs to be updated. If it is set to update, I'm assuming it
won't "create" (install if it doesn't exist), but if I set to "create", what
happens if the queue already exists? Would it still cleanup as necessary,
and then set as default?
I thought about setting an action before that to delete the printer with
that queue name, but it would do that every time essentially putting it in a
loop (delete, create).
Also - from what I understand this uses WMI to operate, and it made my
initial logon for testing last almost 30 minutes whereas it normally takes
less than 30 seconds. The test user was logging into Windows Vista SP1 as a
"User".
Derek
| | | |
| kcnychief
Posts:0
| | 03/09/2009 7:18 AM |
| I will have to double-check my file locations. That being said, I cleared
the box for user context for the printer install and made a little progress.
The logon was within 10 seconds (much better), but the printer failed to
install due to an access denied message under the Application log on the
target machine -
As far as the GPP goes, it appears that component is functional. As the
logged in user I can manually connect to the printer, so it's not a printer
access problem it is more than likely a problem installing the driver. I
could use Point and Print Restrictions to deploy the printer through GPO,
but based on my understanding that would require a separate GPO per printer
which would not be a good approach. Elevating users is not an option, so it
appears I need to research how I can allow standard users to be able to
install printer drivers on their machines.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, March 08, 2009 12:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Where did you install the ADMX and ADML files? Just running the MSI doesn't
get you all the way. You actually need to copy the ADMX files from
C:\program files\Microsoft Group Policy\Preferences\PolicyDefinitions into
c:\windows\policydefinitions (or into SYSVOL if you are using the Central
Store) and the ADML files into c:\windows\policydefinitions\en-us (assuming
you are using US English Windows).
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 5:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks Alan and Darren, I'm interested to get this resolved. I installed
preferences.msi from the link provided, but don't seem to have the Logging
and Tracing Entry -
I don't know if I'm looking in the wrong place, but that is the default
domain policy for our domain. I did also download the 2008 ADMX files and
installed those, no change.
| | | |
| Darren
Posts:103
| | 03/09/2009 11:57 PM |
| Derek-
Have you tried disabling the policy at User Configuration\Admin
Templates\Control Panel\Printers\Point and Print Restrictions?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Monday, March 09, 2009 4:11 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
I will have to double-check my file locations. That being said, I cleared
the box for user context for the printer install and made a little progress.
The logon was within 10 seconds (much better), but the printer failed to
install due to an access denied message under the Application log on the
target machine -
As far as the GPP goes, it appears that component is functional. As the
logged in user I can manually connect to the printer, so it's not a printer
access problem it is more than likely a problem installing the driver. I
could use Point and Print Restrictions to deploy the printer through GPO,
but based on my understanding that would require a separate GPO per printer
which would not be a good approach. Elevating users is not an option, so it
appears I need to research how I can allow standard users to be able to
install printer drivers on their machines.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, March 08, 2009 12:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Where did you install the ADMX and ADML files? Just running the MSI doesn't
get you all the way. You actually need to copy the ADMX files from
C:\program files\Microsoft Group Policy\Preferences\PolicyDefinitions into
c:\windows\policydefinitions (or into SYSVOL if you are using the Central
Store) and the ADML files into c:\windows\policydefinitions\en-us (assuming
you are using US English Windows).
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 5:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks Alan and Darren, I'm interested to get this resolved. I installed
preferences.msi from the link provided, but don't seem to have the Logging
and Tracing Entry -
I don't know if I'm looking in the wrong place, but that is the default
domain policy for our domain. I did also download the 2008 ADMX files and
installed those, no change.
| | | |
| kcnychief
Posts:0
| | 03/10/2009 8:02 AM |
| I did actually - I also found out that it only seems to happen when I remove
the "everyone" group from having access to the printer. Adding it back and
making the change you mentioned is now giving me errors related to an
unknown print spooler.
I have to put this on hold for a little while as a few things are taking
priority. I'll update this thread when I revisit it in a week or so,
thanks!
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, March 09, 2009 11:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Derek-
Have you tried disabling the policy at User Configuration\Admin
Templates\Control Panel\Printers\Point and Print Restrictions?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Monday, March 09, 2009 4:11 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
I will have to double-check my file locations. That being said, I cleared
the box for user context for the printer install and made a little progress.
The logon was within 10 seconds (much better), but the printer failed to
install due to an access denied message under the Application log on the
target machine -
As far as the GPP goes, it appears that component is functional. As the
logged in user I can manually connect to the printer, so it's not a printer
access problem it is more than likely a problem installing the driver. I
could use Point and Print Restrictions to deploy the printer through GPO,
but based on my understanding that would require a separate GPO per printer
which would not be a good approach. Elevating users is not an option, so it
appears I need to research how I can allow standard users to be able to
install printer drivers on their machines.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Sunday, March 08, 2009 12:55 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Where did you install the ADMX and ADML files? Just running the MSI doesn't
get you all the way. You actually need to copy the ADMX files from
C:\program files\Microsoft Group Policy\Preferences\PolicyDefinitions into
c:\windows\policydefinitions (or into SYSVOL if you are using the Central
Store) and the ADML files into c:\windows\policydefinitions\en-us (assuming
you are using US English Windows).
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Saturday, March 07, 2009 5:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] GPP and Printers based on Security Group
Thanks Alan and Darren, I'm interested to get this resolved. I installed
preferences.msi from the link provided, but don't seem to have the Logging
and Tracing Entry -
I don't know if I'm looking in the wrong place, but that is the default
domain policy for our domain. I did also download the 2008 ADMX files and
installed those, no change.
| | | |
|
|