Microsoft KB Archive/234270

= Using Group Policies to Control Printers in Active Directory =

Article ID: 234270

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q234270



SUMMARY
Active Directory printer-related settings can be enabled or disabled by using Group Policies. All Group Policy settings are contained in Group Policy objects that are associated with Active Directory containers (Sites, Organizational Units, and Domains), thereby maximizing and extending Active Directory. This article describes the policies specific to managing printers and how to enable or disable them using Group Policy Editor.



MORE INFORMATION
There are two types of configurations that can be set for printers within a policy: Computer Configuration and User Configuration.

Configuring Printer-Specific Settings for Computers in Active Directory

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Click the Active Directory container of the domain you want to manage (an Organizational Unit or a domain). Right-click that container, and then click Properties.
 * 3) Click the Group Policy tab, and then clickNew to create a "New" Group Policy.
 * 4) In Group Policy Editor, expand the following folders: Computer Configuration, Administrative Templates, and Printers.

The following settings can be enabled under Computer Configuration:
 * Allow Printers to be published to the Directory:

Enables or disables publishing of printers in the directory.
 * Automatically publish new printers in the Active Directory:

On by default, this setting can be turned off so that only shared printers specifically selected are placed in the directory.
 * Printer Browsing:

If you enable this setting the print subsystem announces shared printers for printer browsing. You should disable this setting if you do not want the print subsystem to add shared printers to the browse list. If this setting is not configured, shared printers are not added to the browse list if a Directory service is available, but are added if a Directory service is unavailable.
 * Prune printers that are not automatically republished:

This setting determines whether or not printers can be pruned from the directory. It is usually best to leave this unconfigured, but if you find that printers are being pruned even though the computer they are published from is functioning and on the network, enabling this policy prevents the pruning service from deleting the published printers during network outages or situations in which dial-up links that are only up intermittently are used. To prevent printers from being removed from Active Directory, enable this policy, and retain the default selection of Never in the Prune non-republishing printers list.
 * Downlevel printer pruning properties:

Determines how orphaned PrintQueue objects representing downlevel printers are to be pruned. A printer is downlevel if the server hosting the printer is not running Windows 2000.

For example, if a print server is unavailable for an extended period of time, the pruning service may delete the orphaned PrintQueue object. If the print server is running Windows 2000 or later, it publishes the printer again when it comes back online. Downlevel print servers, however, cannot publish printers by default, so pruned PrintQueue objects are not automatically republished by a downlevel print server.

Pruning "Only if Print Server is found" causes the pruning service to delete a PrintQueue object only if it can verify that the printer does not exist on the print server.

Pruning "Whenever printer is not found" allows the pruning service to delete orphaned PrintQueue objects even when the print server is unavailable.
 * Directory pruning interval:

The Pruning Interval determines the period of time the pruner sleeps between checks for abandoned PrintQueue objects. The pruner reads the Pruning Interval value every hour.
 * Directory pruning retry:

Sets the number of times the PrintQueue pruner attempts to contact the print server before deleting an abandoned PrintQueue object.
 * Directory pruning priority:

Sets the thread priority of the pruning thread. The pruning thread runs only on domain controllers and is responsible for deleting stale printers from the directory. Valid values are -2, -1, 0, 1, and 2, corresponding to THREAD_PRIORITY_LOWEST through THREAD_PRIORITY_HIGHEST. The default is 0.
 * Check published state:

This policy is used to verify that published printers are published in Active Directory. By default, the published state is not verified.
 * Web-based printing:

This policy bit is designed for administrators to disable Internet printing entirely. When this policy bit is selected, none of the shared printers on the server are published to the web, and none of the shared printers are able to accept incoming jobs from other clients using HTTP. The default is not selected.
 * Custom Support URL in Printers folder's left pane:

This policy bit is designed for administrators to add customized support URLs for the server. If this bit is not selected, the left pane of the Printers folder displays URLs for selected printer plus a vendor support URL if it is available. If this bit is selected and the customized support URL is provided, the previously mentioned two support URLs are replaced by the customized URL. The default is not selected (that is, no customized support URL).
 * Computer Location:

Specifies the default location criteria used when searching for printers.

This policy is a component of the location tracking feature of Windows 2000 printers. To use this policy, enable location tracking by enabling the "Pre-populate printer search location text" policy.

When location tracking is enabled, Windows 2000 uses the specified location as a criteria when users search for printers. The value you enter here overrides the actual location of the computer conducting the search.

Enter the location of the user's computer. When a user searches for a printer, Windows 2000 uses the specified location (and other search criteria) to find a printer nearby. You can also use this policy to direct users to a particular printer or group of printers that you want them to use.

If you disable this policy, or do not configure it, and the user does not enter a location as a search criteria, Windows 2000 searches for a nearby printer based on the IP address and subnet mask of the user's computer.
 * Pre-populate printer search location text:

Enables the physical location tracking support feature of Windows 2000 printers.

Location tracking lets you design a location scheme for your enterprise and assign computers and printers to locations in your scheme. Location tracking overrides the standard method of locating and associating users and printers, which uses the IP address and subnet mask of a computer to estimate its physical location and proximity to other computers.

If you enable location tracking, a Browse button appears beside the Location box in the Find Printers dialog box and on the General tab in the properties for a printer. This lets users browse for printers by location without knowing the precise location (or location naming scheme). Also, if you enable the "Computer location" policy, the default location you enter appears in the Location box.

If you disable this policy or do not configure it, location tracking is disabled. Printer proximity is estimated based on IP address and subnet mask.

Configuring Printer-Specific Settings for Users in Active Directory

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Click the Active Directory container of the domain you want to manage (an Organizational Unit or a domain). Right-click that container, and then click Properties.
 * 3) Click New to create a "New" Group Policy.
 * 4) In Group Policy editor, expand the following folders: User Configuration, Administrative Templates, Control Panel, and Printers.

The following settings can be configured under User Configuration:
 * Disable the deletion of printers:

Prevents users from deleting local and network printers.

If a user tries to delete a printer, such as by using the Delete command in the Printers tool in Control Panel, Windows displays a message explaining that the action is prevented by a policy. This policy does not prevent users from running programs to delete a printer.
 * Disable the addition of printers:

Prevents users from using familiar methods to add local and network printers.

This policy removes the Add Printer wizard from the Start menu and from the Printers folder in Control Panel.

Also, users cannot add printers by dragging a printer icon to the Printers folder. If they try to use this method, a message appears explaining that the action is disabled by a policy.

This policy does not prevent users from using the Add/Remove Hardware wizard to add a printer. Nor does it prevent users from running programs to add printers.

This policy does not delete printers that users have already added. However, if users have not added a printer when this policy is applied, they cannot print.

Note that you can use printer permissions to restrict the use of printers without setting a policy. In the Printers folder, right-click a printer, click Properties, and then click the Security tab.
 * Display the down level page in the Add Printer wizard:

Permits users to browse the network for shared printers in the Add Printer wizard.

If you enable this policy, when users click "Add a network printer," but do not enter the name of a particular printer, the Add Printer wizard displays a list of all shared printers on the network and prompts users to choose a printer.

If you disable this policy, users cannot browse the network; they must enter a printer name.

This policy affects the Add Printer wizard only. It does not prevent users from using other tools to browse for shared printers or to connect to network printers.
 * Default Active Directory path when searching for printers:

Specifies the Active Directory location in which searches for printers begin.

The Add Printer wizard gives users the option of searching Active Directory for a shared printer. If you enable this policy, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory.

This policy only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory.
 * Enable browsing for Internet printers:

Adds the path to an Internet or intranet Web page to the Add Printer wizard.

You can use this policy to direct users to a Web page from which they can install printers.

If you enable this policy and enter an Internet or intranet address in the text box, Windows adds a Browse button to the Locate Your Printer page in the Add Printer wizard. The Browse button appears beside the "Connect to a printer on the Internet or your Company's Intranet" option. When users click Browse, Windows opens an Internet browser and navigates to the specified address to display the available printers.

This policy makes it easy for users to find the printers you want them to add.

