Deploy Printers With Group Policy

In this tutorial, you will learn how to deploy printers using Group Policy.

In this example, I will use group policy preferences and item level targeting to install printers based on user security group membership.

For example, users in the “HR_Printers” group will get the HR-OfficeJet9025 printer installed and users in the “Marketing_Printers” group will get the Marketing-HP4200 installed.

Why deploy printers using Group Policy?

This simple answer is it helps to automate the user setup process. It’s a step that almost every computer setup needs so automating this step speeds up the computer configuration process. This is a big win for your helpdesk or another IT staff that helps configure computers. This is also a big win for your customers as it is often a call to the helpdesk to get a printer setup. This will eliminate that phone call because as soon as they login the printer is automatically installed in the background.

Step 1: Create AD Security Groups

The first step is to create security groups for the printers. In this example, I’m going to install printers by the department so I’ll create a security group for each department. I’ve named my groups the “department_printers”. You can name the groups whatever you like.

Next, add members to the new groups and move to step 2. You can also use existing groups, but I recommend creating groups for each resource.

Tip: To quickly add or remove members to groups you can use PowerShell or the Bulk Group Updater tool.

Step 2: Create a New GPO

Now I’ll create a new GPO and link it to my Users OU.

Create new GPO

Give the GPO a name. I’ve named mine “Users – Printer Install”

Edit the GPO and browse to User Configuration > Preferences > Control Panel Settings > Printers

gpo printer settings

Right click printers, select new, and click “shared printer”

In this example, I’m installing printers from a printer server, you can use TCP/IP or a local printer.

My printer server is “srvwef” and the printer share name is “HR-OfficeJet9025” so the share path will be \\srvwef\HR-OfficeJet9025.

gpo printer shared path

This is the HR department’s printer so I want this to only apply to the HR department security group. This is done using item level targeting.

Click on Common

Check the box “Run in logged-on user’s security context (user policy option).

Select Item-level targeting and click the Targeting button.

GPO item level targeting

Click the new item arrow and select security group. Enter the security group you want the printer to install for, I selected my HR_Printers group.

Click ok to get back to the Group Policy Management screen.

This completes the GPO configuration.

Step 3: Reboot or run the gpupdate command

To test the install you will need to log in as a user that is in the security group.

You will need to run gpupdate /force command to refresh the group policies.

First, let me show you that the printer is not installed.

Next, I’ll run gpupdate /force and the printer will install. You could also reboot or wait 90 minutes for GPO to refresh on its own.

You can see above that the printer is now installed.

Step 4: Repeat for additional printers

Now just repeat this process for any other printers you want to install with group policy. The great thing about this configuration is you don’t need to create additional GPOs. You can add additional printers to this one GPO to install all printers.

add multiple printers to gpo

Above you can see I added the Marketing printer to the same GPO. The Marketing printer will only install for users that are part of the Marketing_printers security group.

Summary

Installing printers is often an extra step the helpdesk does when installing computers. By using group policy you can automate the printer install for users. This is a big win for users and staff that configure computers.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

18 thoughts on “Deploy Printers With Group Policy”

  1. Hi Roboert:
    I know that when installing a printer from the printer server, the driver gets it from the print server. But I have a question… Where does GPO get drivers when installing tcp/ip printers?

    Reply
    • It still installs the driver from the print server. In the GPO you specify the UNC path to the printer which is on the print server.

      Reply
      • Hi Robert. I have done all of this – but the driver installation gives an error as the users are not administrators of their laptops. I have also tried removing “Run in user context” but that did not make any difference.

        Kind regards
        Landi

        Reply
        • Try setting the GPO policy “Devices: Prevent users from installing printer drivers” to disabled.

          Policy is found in the section -> Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

          Reply
  2. Hi Robert, do you know how can delete old printer mapped ?

    Reply
    • Did you try using group policy and the “Delete” action?

      Reply
      • Hi Robert,

        Is it possible to share 1 printer for 2 GPOs(Colored and Black&White)?
        This is to restrict users under Black&White Security Groups to strictly print Black&White only. FYI, we’re using a Ricoh Printer. Thank you in advance!

        Reply
        • Yes, just create a separate print share and lock it down with a security group.

          Reply
  3. Hi Robert
    How if I want to rename the printer (both the object and shared name) later on and keep the security group linked to the printer the same name as the new printer names. Will renaming the security group cause any issues?

    Reply
  4. Hello. At the step “Right click printers and click “shared printer”, I do not have shared printer as an option. This is on my 2019 DC. Any idea why I don’t have that? My options are New / TCP/IP Printer or New / Local Printer.

    Reply
    • Right click printers select “New” and then “Shared Printer”.

      Reply
  5. This looks promising, so thanks. We have 6 physical locations connected via VPN in one network. Currently, each location has its own DC and printers can be shared/deployed for that location from their local server. All remote site DCs are going away and all users will now go to main office DC. I plan to share all printers from print server here and deploy to all locations for their location’s printers. Will choosing TCP/IP printer and users installing printers over the VPN cause all print jobs to be processed over the VPN as well? Or, will it install the driver from the shared printer the first time, then send print jobs via IP address to the device in their local subnet? We are concerned about lag times if all print jobs have to be processed here and sent back to the device over the VPN. Thanks.

    Reply
    • Hi Janet,

      Choosing TCP/IP printer in the GPO will install the printer as a local TCP/IP (no printer server). When the computer sends a print job it will send it directly to the IP of the printer.

      Reply
      • I’m sorry if I misunderstood. But I reviewed your reply to Pepper above and it says that the installing printer will go to the print server to get the driver to install, so I was confused. Will I need to manually install the drivers separately, or will they auto-install on the first login that triggers the GPO to install the printer? Thanks.

        Reply
        • When you choose TCP/IP in the GPO it will install locally as a TCP/IP printer but pulls the drivers from the print server. You will need to configure the printer on the printer server but again it is so the client can download the print drivers.

          Reply
          • Thank you for clarifying!

  6. I deploy printers almost exactly this way except I do not check “run in logged in users security context” what difference is leaving that out making?

    Reply
    • Every preference item applied is processed under the local SYSTEM account. When you select “Run in Logged on User’s Security Context”, the security context is changed from SYSTEM to the current logged-in User.

      Reply

Leave a Comment