Distributing Printer Connections in R2 along with Group Filtering
Before the summer vacation when R2 was publicly release as a beta2 I started working and testing with it. On of the things I played with was the distribution of Printer Connections along with Group Filtering.
To get distribution of printer connections working the following must be done:
* Configure the vb-script 'PPCLogonScript.vbs’ as a LOGONSCRIPT so that when a user logs on the script will check what GPOs are in place for the computer and for the user
* Create a GPO (let's called it 'GPO_PRINTER-CONNECTION_COMPUTERS') and link it to an OU with computers (let's call that OU 'COMPUTERS-OU')
* Create a GPO (let's called it 'GPO_PRINTER-CONNECTION_USERS') and link it to an OU with computers (let's call that OU 'USERS-OU')
* Join a computer to the domain and move it computer account into the 'COMPUTERS-OU'
* Create a simple user account in the 'USERS-OU'
* On some server (let's call that SERVER001) install 2 printers (let's call them PRINTER001 and PRINTER002)
* Distribute the printer connection of PRINTER001 using GPO 'GPO_PRINTER-CONNECTION_COMPUTERS'
* Distribute the printer connection of PRINTER002 using GPO 'GPO_PRINTER-CONNECTION_USERS'
By default a computer account (let's call that COMPUTER001) and a user account (let's call that USER001) when authenticated by a DC belong to the 'Authenticated Users' well-known security ID. Each GPO when created and linked has 'Authenticated Users' assign for READ and APPLY.
(TEST 1) So when booting 'COMPUTER001' and logging on with 'USER001' I you will see two printers connections within 'Printers and Faxes' to \\SERVER001\PRINTER001 and \\SERVER001\PRINTER002. So far nothing happened...
Now I want the same printer connections to be distributed only to computers and users that are members of respectively the groups 'gsg_PrinterConnectionsComputers' and 'gsg_PrinterConnectionsUsers'.
Using the GPMC I remove 'Authenticated Users' from security filtering for BOTH GPOs 'GPO_PRINTER-CONNECTION_COMPUTERS' and 'GPO_PRINTER-CONNECTION_USERS'. Again using the GPMC I add 'gsg_PrinterConnectionsComputers' for security filtering to the GPO 'GPO_PRINTER-CONNECTION_COMPUTERS' and I add 'gsg_PrinterConnectionsUsers' for security filtering to the GPO 'GPO_PRINTER-CONNECTION_USERS'
(TEST 2) So when booting 'COMPUTER001' again and logging on with 'USER001' I you should not see the two printers connections within 'Printers and Faxes' because the computer account and the user account is not a member of the filtered groups. Wrong! You will still see them. I started to investigate this and found out the vb-script queried AD for objects of the class 'msPrintConnectionPolicy' and although the GPOs were configured with security filtering the printer connection objects explicitly had 'Authenticated Users' with 'Read All Properties' configured and is why the script was able to see them and add them. The solution to this was easy. For security filtering to work on GPOs WITH printer connections the 'Default Security' of the class 'msPrintConnectionPolicy' had to be changed slightly. Using the Schema MMC you had to ONLY remove 'Read All Properties' for 'Authenticated Users'.
With this change ALL NEW printer connection objects created after the permissions change were configured with the correct permissions so security filtering could be used for GPOs WITH printer connections. However for printer connections object created BEFORE the permissions change the permission were still the same and need to be changed to reflect the new definition of the 'Default Security' for the class 'msPrintConnectionPolicy'. If you allready has created a lot of printer connection objects in AD there is a quick solution to change this, and that is by using ADFIND (from joeware.net) and DSACLS (from the Support Tools)
Run the following command to get the distinguished name of existing printer connection objects:
* AdFind.exe -b "CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" -f "(objectCategory=msPrint-ConnectionPolicy)" -dn -dsq > ReACL_ALL_msPrint-ConnectionPolicies.cmd
Open ReACL_ALL_msPrint-ConnectionPolicies.cmd with notepad and:
* Add DSACLS at the beginning of each line
* Add /S /T at the end of each line
The result for each line should be something like:
DSACLS "CN={A4028A0A-C352-4D56-AD6A-D6C3E1B005DE},CN=PushedPrinterConnections,CN=Machine,CN={E1665B10-7917-4A67-992F-2D021A6495FC},CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" /S /T
Run ReACL_ALL_msPrint-ConnectionPolicies.cmd to so the explicit permissions of all existing objects match the new definition of the 'Default Security' for the class 'msPrintConnectionPolicy'.
(TEST 3) So when booting 'COMPUTER001' again and logging on with 'USER001' I you should not see the two printers connections within 'Printers and Faxes' because the computer account and the user account is not a member of the filtered groups. As both are not members of the groups the printer connections were removed by the group! (as it should be)
In ADUC I make 'COMPUTER001' a member of 'gsg_PrinterConnectionsComputers' and 'USER001' a member of 'gsg_PrinterConnectionsUsers'.
(TEST 4) So when booting 'COMPUTER001' again and logging on with 'USER001' I you the two printers connections reappear within 'Printers and Faxes' because the computer account and the user account are members of the filtered groups.
In RC0 and RC1 the vb-script 'PPCLogonScript.vbs’ was replaced by a utility called 'pushprinterconnections.exe'
The difference in usage is:
* The utility ‘PushPrinterConnections.exe’ (available in %WINDIR%\PMCSnap) must be used in startup script (for per-machine printer connections) and/or in loginscript (for per-user printer connections) to read the printer connections in AD and add to client/user.
Using the utility ‘PushPrinterConnections.exe’ which is available instead of the vb-script the following happens when dping the same tests:
TEST 1: same behavior as using the vb-script nothing changed
ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER002. was removed from the GPO 'GPO_PRINTER-CONNECTION_USERS'. So when rebooting and logging on again the printer connection for PRINTER002 should be gone and that happened! So nothing wrong (yet)
ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER001. was removed from the GPO 'GPO_PRINTER-CONNECTION_COMPUTERS' and distribution of printer connection for \\SERVER001\PRINTER002. was added again to the GPO 'GPO_PRINTER-CONNECTION_USERS'.. So when rebooting and logging on again the printer connection for PRINTER001 should be gone and printer connection for PRINTER002 should reappear and that happened! So nothing wrong (yet)
TEST 2: same behavior as using the vb-script nothing changed
ADDITIONAL TEST: deleted all printer conections on the client and rebooted. GPOs still filtered for the groups and accounts are still not members. Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered do both printer connections should not appear
TEST 3: Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered so both printer connections should not appear
TEST 4: both connections are available. same behavior as using the vb-script nothing changed. However if I remove the accounts from the groups and reboot/loggin the printer connections should disappear. However, that does not happen!
IMHO opinion the following solutions exist:
* Please tell me what is going wrong and how achieve what I want (how does the utility ‘PushPrinterConnections.exe’ work)
* Please repair the utility ‘PushPrinterConnections.exe’
* Please give back the VB-script that worked before
If someone knows an answer to this, feel free to post!
Cheers,
Jorge