Deploy Printers to Users or Computers via Group Policy

Add a Shared Network Printer in Active Directory

The first thing you need to do is create a shared network printer in Active Directory. These can be shared
printers on a dedicated host running Windows Server (with the Print and Document Services role), or
printers directly attached to user workstations running desktop versions of Windows.

Open the Print Management console on the computer where the printer is attached (this guide can be used to
share either a network printer available via TCP/IP or a local physical printer connected to the host via
USB):

printmanagement.msc

Now you need to add printers to your print server. Let’s start by installing the print drivers.

1. Go to the Drivers section and run the Add Driver wizard. Select the type of driver architecture (x64
or x86) and click Next;

2. On the Printer Driver Selection screen, select the driver for your printer. If the driver you need is
not listed, click Have Disk and Browse. Specify the path to the printer inf file and click OK.

PREPARED BY: ALFRED D. SALAZAR 1

 Deploy Printers to Users or Computers via Group Policy
3. Install the drivers for each printer you want to share on your print server host.

4. The Print Management Console will now display the list of installed print drivers.

Now you can install new printers on your print server. Go to the Printers section and select Add Printers
from the context menu. You can add a printer to your computer in one of the following ways:

 Search the network for printers;

 Add an IPP, TCP/IP, or Web Services Printer by IP address or hostname;
 Add a new printer using an existing port;
 Create a new port and add a new printer.

PREPARED BY: ALFRED D. SALAZAR 2

 Deploy Printers to Users or Computers via Group Policy

In this example, we’ll connect to the network printer by its IP address.

Specify the type of device (TCP/IP device), and the IP address (or the DNS name) of your network printer
device (you can leave the port name by default). Check the box Auto detect the printer driver to use.

Then, select the printer driver you want to install (in this example, it is HP Universal Printing PCL6).

PREPARED BY: ALFRED D. SALAZAR 3

 Deploy Printers to Users or Computers via Group Policy

Then enter the printer’s name, network name, and description. In the same way, install any additional
printers.

The next step is to share your printer (this makes it available to all domain users.)

Expand Print Servers > ServerName (local) > Printers, select the printer you want to share (HP LaserJet
M2727 in our case), right-click on it, and select from the menu Manage Sharing.

Specify the share name of the printer. We recommend you set a short, meaningful shared printer name (do
not use spaces or special characters in the shared printer name). In our example, we’ve chosen to name it
HPM2727_1.

Check the options Share this printer and List in the directory, and then click Apply.

PREPARED BY: ALFRED D. SALAZAR 4

 Deploy Printers to Users or Computers via Group Policy

You can now use GPO to deploy this shared printer on users’ computers.

Deploy Shared Printers to Active Directory Users with GPO

The Group Policy Preferences (GPPs) extension is used to accurately deploy shared printers.

1. Connect to your AD domain controller and open the Group Policy Management Console
(gpmc.msc), and locate the Organizational Unit (OU) to which you want to deploy shared printer.
This OU can contain computer or user objects, depending on which objects you want to make the
printer available to;

PREPARED BY: ALFRED D. SALAZAR 5

 Deploy Printers to Users or Computers via Group Policy
2. Right-click on the OU and select Create a GPO in this domain and Link it here.

3. Specify the GPO name. For example, DeployPrinterCAUsers;

4. Right-click GPO and select Edit.

Printer deployment settings are located under the following sections:

 Computer Configuration > Preferences > Control Panel Settings > Printers;
 User Configuration > Preferences > Control Panel Settings > Printers.

If you deploy a printer from the Computer Configuration section, it will be installed for all users who log on
to a computer. The user’s GPO only allows printers to be added to the logged-in user’s profile.

PREPARED BY: ALFRED D. SALAZAR 6

 Deploy Printers to Users or Computers via Group Policy

Select New > Shared Printer. Specify the shared printer name in UNC format (like, \\WKS-
IT012\HPM2727_1), or select from a list of printers published in Active Directory.

PREPARED BY: ALFRED D. SALAZAR 7

 Deploy Printers to Users or Computers via Group Policy

There are several actions available in the GPO when installing a printer:

 Create — creates a printer if it is not already installed (the printer is created only once, then this
GPP parameter is ignored);
 Replace — deletes the printer and re-creates it each time the GPO settings on the computer are
updated;
 Update — (default) The printer is created if it has not been previously created. This mode will
update any printer settings that have changed since the last GPO update;
 Delete — removes the printer if it was previously installed.

You can immediately assign this printer as the user’s primary print device by enabling the Set this printer
as the default printer option.

Update the GPO settings on the client computer and check if the printer is installed automatically when the
user logs on (Settings > Bluetooth and Devices > Printers and Scanners).

PREPARED BY: ALFRED D. SALAZAR 8

 Deploy Printers to Users or Computers via Group Policy

The GPO should automatically install the printer driver if the user’s computer does not have the required
device driver. This only works with Package-aware v3 print drivers. To check that you are using this type
of driver, open the Print Manager console > Drivers > check that your driver attributes show
Packaged=True.

Other types of drivers will not be installed automatically and the GPP Event Viewer logs will contain an
error:

0x80070bcb. The specified printer driver was not found on the system and needs to be download.

You can pre-install the required print drivers on the user’s computers using the command:

pnputil /add-driver "\\Path to print drivers\*.inf" /subdirs

Or you can use a workaround described in the post Allow non-administrators to install printer drivers via
GPO.

Note. This article describes how to bypass the Print Spooler security restriction that prevents non-
administrative users from installing unsigned print drivers on Windows (check for the PrintNightmare
vulnerability described in CVE-2021-1675 and CVE-2021-3452).

How to Deploy Printers to Specific Users in Active Directory

PREPARED BY: ALFRED D. SALAZAR 9

 Deploy Printers to Users or Computers via Group Policy
You can use AD security groups to more accurately assign printers to users. Create a new group in AD and
add any users you want to assign this printer to that group.

1. Edit your printer deployment GPO and go User Configuration > Preferences > Control Panel
Settings > Printers;
2. Find your printer and open its properties;
3. Enable the option “Run in logged-on user’s security context (user policy option)”;
4. Check the option “Item-level Targeting” and click on the button;

PREPARED BY: ALFRED D. SALAZAR 10

 Deploy Printers to Users or Computers via Group Policy
5. Select New Item > Security Group, and specify your target security group name;

6. Save the changes. Now this GPO will automatically connect the hp2727 printer only to users in the
specified AD group.
7. To automatically remove a printer when a user leaves the security group, you can select the ‘Remove
this item when it no longer applies’ option.

You can add tens and hundreds of additional printers with a single GPO. Use the Item Level Targeting in
GPP to deploy printers to specific user security groups.

PREPARED BY: ALFRED D. SALAZAR 11