Deploy Printers With Group Policy

In this tutorial, you will learn how to deploy printers using Group Policy.

In this example, I will use group policy preferences and item level targeting to install printers based on user security group membership.

For example, users in the “HR_Printers” group will get the HR-OfficeJet9025 printer installed and users in the “Marketing_Printers” group will get the Marketing-HP4200 installed.

Why deploy printers using Group Policy?

This simple answer is it helps to automate the user setup process. It’s a step that almost every computer setup needs so automating this step speeds up the computer configuration process. This is a big win for your helpdesk or another IT staff that helps configure computers. This is also a big win for your customers as it is often a call to the helpdesk to get a printer setup. This will eliminate that phone call because as soon as they login the printer is automatically installed in the background.

Step 1: Create AD Security Groups

The first step is to create security groups for the printers. In this example, I’m going to install printers by the department so I’ll create a security group for each department. I’ve named my groups the “department_printers”. You can name the groups whatever you like.

Next, add members to the new groups and move to step 2. You can also use existing groups, but I recommend creating groups for each resource.

Tip: To quickly add or remove members to groups you can use PowerShell or the AD Group Management Tool.

Step 2: Create a New GPO

Now I’ll create a new GPO and link it to my Users OU.

Create new GPO

Give the GPO a name. I’ve named mine “Users – Printer Install”

Edit the GPO and browse to User Configuration > Preferences > Control Panel Settings > Printers

gpo printer settings

Right click printers, select new, and click “shared printer”

In this example, I’m installing printers from a printer server, you can use TCP/IP or a local printer.

My printer server is “srvwef” and the printer share name is “HR-OfficeJet9025” so the share path will be \\srvwef\HR-OfficeJet9025.

gpo printer shared path

This is the HR department’s printer so I want this to only apply to the HR department security group. This is done using item level targeting.

Click on Common

Check the box “Run in logged-on user’s security context (user policy option).

Select Item-level targeting and click the Targeting button.

GPO item level targeting

Click the new item arrow and select security group. Enter the security group you want the printer to install for, I selected my HR_Printers group.

Click ok to get back to the Group Policy Management screen.

This completes the GPO configuration.

Step 3: Reboot or run the gpupdate command

To test the install you will need to log in as a user that is in the security group.

You will need to run gpupdate /force command to refresh the group policies.

First, let me show you that the printer is not installed.

Next, I’ll run gpupdate /force and the printer will install. You could also reboot or wait 90 minutes for GPO to refresh on its own.

You can see above that the printer is now installed.

Step 4: Repeat for additional printers

Now just repeat this process for any other printers you want to install with group policy. The great thing about this configuration is you don’t need to create additional GPOs. You can add additional printers to this one GPO to install all printers.

add multiple printers to gpo

Above you can see I added the Marketing printer to the same GPO. The Marketing printer will only install for users that are part of the Marketing_printers security group.

Summary

Installing printers is often an extra step the helpdesk does when installing computers. By using group policy you can automate the printer install for users. This is a big win for users and staff that configure computers.

Recommended Tool: Active Directory Pro Toolkit

The AD Pro Toolkit includes 14 tools in 1 to help simplify and automate Active Directory management.

Automate user creation, bulk update accounts, group management, logon reports, report NTFS permissions, cleanup, and secure AD, troubleshoot account lockouts, and much more.

In addition, the toolkit includes over 200 built-in reports.

Click here to download a free trial

35 thoughts on “Deploy Printers With Group Policy”

  1. Hi Roboert:
    I know that when installing a printer from the printer server, the driver gets it from the print server. But I have a question… Where does GPO get drivers when installing tcp/ip printers?

    Reply
    • Avatar photo

      It still installs the driver from the print server. In the GPO you specify the UNC path to the printer which is on the print server.

      Reply
      • Hi Robert. I have done all of this – but the driver installation gives an error as the users are not administrators of their laptops. I have also tried removing “Run in user context” but that did not make any difference.

        Kind regards
        Landi

        Reply
        • Avatar photo

          Try setting the GPO policy “Devices: Prevent users from installing printer drivers” to disabled.

          Policy is found in the section -> Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

          Reply
          • Hi Robert, if I change this setting, will the users be able to install any printer they want in the domain? Because the printers are not being deployed to the users in the security group I created.
            Thanks

          • Avatar photo

            Hi Ricky,

            Which setting are you referring to?

  2. Hi Robert, do you know how can delete old printer mapped ?

    Reply
    • Avatar photo

      Did you try using group policy and the “Delete” action?

      Reply
      • Hi Robert,

        Is it possible to share 1 printer for 2 GPOs(Colored and Black&White)?
        This is to restrict users under Black&White Security Groups to strictly print Black&White only. FYI, we’re using a Ricoh Printer. Thank you in advance!

        Reply
        • Avatar photo

          Yes, just create a separate print share and lock it down with a security group.

          Reply
  3. Hi Robert
    How if I want to rename the printer (both the object and shared name) later on and keep the security group linked to the printer the same name as the new printer names. Will renaming the security group cause any issues?

    Reply
  4. Hello. At the step “Right click printers and click “shared printer”, I do not have shared printer as an option. This is on my 2019 DC. Any idea why I don’t have that? My options are New / TCP/IP Printer or New / Local Printer.

    Reply
    • Avatar photo

      Right click printers select “New” and then “Shared Printer”.

      Reply
      • I do not see a response to Gary’s question, and I am also using a 2019 DC to add and configure the GPO. Should we select TCP/IP Printer or Local Printer?

        Reply
        • Avatar photo

          Right click printers select “New” and then “Shared Printer”.

          Reply
          • I’m running into the same issue on a 2009 DC. Under the User Configuration I see all three options when I right-click printers. But when I go to Computer Configuration I only see Local Printer and TCP/IP Printers. Any ideas?

          • Avatar photo

            The “Shared Printer” option is not available under the computer configuration, this is by design. I’m not sure why I cannot find any documentation of why Microsoft excluded this option from the computer config.

  5. This looks promising, so thanks. We have 6 physical locations connected via VPN in one network. Currently, each location has its own DC and printers can be shared/deployed for that location from their local server. All remote site DCs are going away and all users will now go to main office DC. I plan to share all printers from print server here and deploy to all locations for their location’s printers. Will choosing TCP/IP printer and users installing printers over the VPN cause all print jobs to be processed over the VPN as well? Or, will it install the driver from the shared printer the first time, then send print jobs via IP address to the device in their local subnet? We are concerned about lag times if all print jobs have to be processed here and sent back to the device over the VPN. Thanks.

    Reply
    • Avatar photo

      Hi Janet,

      Choosing TCP/IP printer in the GPO will install the printer as a local TCP/IP (no printer server). When the computer sends a print job it will send it directly to the IP of the printer.

      Reply
      • I’m sorry if I misunderstood. But I reviewed your reply to Pepper above and it says that the installing printer will go to the print server to get the driver to install, so I was confused. Will I need to manually install the drivers separately, or will they auto-install on the first login that triggers the GPO to install the printer? Thanks.

        Reply
        • Avatar photo

          When you choose TCP/IP in the GPO it will install locally as a TCP/IP printer but pulls the drivers from the print server. You will need to configure the printer on the printer server but again it is so the client can download the print drivers.

          Reply
          • Thank you for clarifying!

  6. I deploy printers almost exactly this way except I do not check “run in logged in users security context” what difference is leaving that out making?

    Reply
    • Avatar photo

      Every preference item applied is processed under the local SYSTEM account. When you select “Run in Logged on User’s Security Context”, the security context is changed from SYSTEM to the current logged-in User.

      Reply
  7. With the AD security groups, would it be possible to add computer objects instead of users? I’m trying to have a certain printers deployed based on the computers/ location, instead of the specific user who’s logged in. Would it be possible to have that kind of setup? Thanks.

    Reply
    • Avatar photo

      Yes. Configure the printer settings under computer configuration instead of user configuration. Then apply the GPO to your computer objects.

      Reply
  8. Hi Robert,

    I have another question… If I use the configuration in your example, but the GPO will be placed in the OU where the computer objects are instead of the users OU ( In our infrastructure, admins are only granted permission in the OU for our own department, where users are placed in a different OU where only Domain Admins have access).
    Would this still work if I have Loopback policy enabled?

    Thanks.

    Reply
    • I just tested and it works!! This is a life saver! Thank you very much for the post Robert!

      Reply
  9. I added the printer in Computer Configuration>Policies>Windows Settings>Deployed Printers but unfortunately it does not connect after reboot. I need to assign printers to a computer not a user. What am I doing wrong?

    Reply
    • Avatar photo

      To deploy to computer configure the policy under the computer configuration settings instead of users.

      Reply
  10. Hello, Robert,
    I deployed printers via GPO but they don’t get installed on computers if I don’t add domain user or domain group as local administrator in Windows 10.

    Reply
      • Hi Robert, excellent page and instructions. Sadly you are absolutely correct, Microsoft borked it when fixing another problem. I am having to do this registry hack too. Considering this registry hack is a complete reversal of the recommended security settings to prevent the PrintNightmare elevation of privilege attack and we are two years on from this now is there a way to do this that doesn’t require the hack. Microsoft if you are reading this its time to fix this once and for all.

        Reply
  11. Hi Robert Allen,

    I believe this Print nightmare has been my concern for our Group Policy not successfully deploying printer drivers, because the user logging in is not and admin and we have been forced to login to each staff system and install the print drivers for each new printer or if we migrate print servers. I will try to test some of your setting above, however the last poster “Nicholas Kulkarni” is correct is this not just circumventing the recommended Microsoft Print Nightmare configuration. Please any information would be helpful.

    Reply

Leave a Comment