Working With Group Policy and Printers

I’ve lately done a fair bit of work with Group Policy at my organization, which involved cleanup, simplification, and optimization. Group Policy hadn’t really been audited for what seems to be a few years and it was quite a mess, but by the end of it there were about a quarter of the policies, and they were a lot more logical. However, during this exercise I did learn a few things and run into some quirks that I thought were worth sharing and which I’ll describe in this post. I won’t however go over the typical practices of designing and implementing GPOs, there are enough posts and articles about that elsewhere.

Old Settings

The first thing I came across was some old policy settings that would show up when looking at the summary in the management console, but if you were to edit the policy those options wouldn’t been there. Some of the specific settings had to do with Remote Installation Services, and printers that had been added through Print Management using a Server 2003 server. After some googling I found that these options could be changed by editing an attribute in Active Directory. To do so follow these steps:

  1. Open up Active Directory Users and Computers
  2. Expand System>Policies
  3. Right click on the GUID of the Policy with the old settings that need to be removed (which can be found in Group Policy Mangement by selecting the GPO and selecting the Management tab) and select Properties
  4. Select the Attributes tab
  5. Edit the gPCMachineExtensionNames attribute. I recommend copying this into a text editor so you have more space to work with it. This attribute should contain some GUIDs, which are specific to the policies that the GPO contains. By editing this attribute, specifically by removing the GUIDs relating to the old policies, you can remove them from the GPO.

I managed to find a list of the GUIDs that are contained within from https://blogs.technet.microsoft.com/mempson/2010/12/01/group-policy-client-side-extension-list/. However, I’ll put a copy of it here just in-case:

List of Group Policy Client Side Extensions
GUID: Component
{00000000-0000-0000-0000-000000000000} Core GPO Engine
{0E28E245-9368-4853-AD84-6DA3BA35BB75} Preference CSE GUID Environment Variables
{0F6B957D-509E-11D1-A7CC-0000F87571E3} Tool Extension GUID (Computer Policy Settings)
{0F6B957E-509E-11D1-A7CC-0000F87571E3} Tool Extension GUID (User Policy Settings) – Restrict Run
{1612b55c-243c-48dd-a449-ffc097b19776} Preference Tool CSE GUID Data Sources
{17D89FEC-5C44-4972-B12D-241CAEF74509} Preference CSE GUID Local users and groups
{1A6364EB-776B-4120-ADE1-B63A406A76B5} Preference CSE GUID Devices
{1b767e9a-7be4-4d35-85c1-2e174a7ba951} Preference Tool CSE GUID Devices
{25537BA6-77A8-11D2-9B6C-0000F8080861} Folder Redirection
{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006} Preference Tool CSE GUID Drives
{3060E8CE-7020-11D2-842D-00C04FA372D4} Remote Installation Services.
{35141B6B-498A-4CC7-AD59-CEF93D89B2CE} Preference Tool CSE GUID Environment Variables
{35378EAC-683F-11D2-A89A-00C04FBBCFA2 Registry Settings
{3610EDA5-77EF-11D2-8DC5-00C04FA31A66} Microsoft Disk Quota
{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} Preference CSE GUID Network Options
{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F} Preference Tool CSE GUID Files
{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53} Preference Tool CSE GUID Folder Options
{3EC4E9D3-714D-471F-88DC-4DD4471AAB47} Preference Tool CSE GUID Folders
{40B66650-4972-11D1-A7CA-0000F87571E3} Scripts (Logon/Logoff) Run Restriction
{42B5FAAE-6536-11d2-AE5A-0000F87571E3} ProcessScriptsGroupPolicy
{47BA4403-1AA0-47F6-BDC5-298F96D1C2E3} Print Policy in PolicyMaker
{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} Internet Explorer Zonemapping
{516FC620-5D34-4B08-8165-6A06B623EDEB} Preference Tool CSE GUID Ini Files
{53D6AB1D-2488-11D1-A28C-00C04FB94F17} Certificates Run Restriction
{5794DAFD-BE60-433f-88A2-1A31939AC01F} Preference CSE GUID Drives
{5C935941-A954-4F7C-B507-885941ECE5C4} Preference Tool CSE GUID Internet Settings
{6232C319-91AC-4931-9385-E70C2B099F0E} Group Policy Folders
{6232C319-91AC-4931-9385-E70C2B099F0E} Preference CSE GUID Folders
{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} Preference CSE GUID Network Shares
{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} Preference CSE GUID Files
{728EE579-943C-4519-9EF7-AB56765798ED} Preference CSE GUID Data Sources
{74EE6C03-5363-4554-B161-627540339CAB} Preference CSE GUID Ini Files
{79F92669-4224-476c-9C5C-6EFB4D87DF4A} Preference Tool CSE GUID Local users and groups
{7B849a69-220F-451E-B3FE-2CB811AF94AE} Internet Explorer User Accelerators/PolicyMaker
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} Computer Restricted Groups
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Security
{88E729D6-BDC1-11D1-BD2A-00C04FB9603F} Folder Redirection
{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Deployed Printer Connections
{91FBB303-0CD5-4055-BF42-E512A681B325} Preference CSE GUID Services
{942A8E4F-A261-11D1-A760-00C04FB9603F} Software Installation (Computers).
{949FB894-E883-42C6-88C1-29169720E8CA} Preference Tool CSE GUID Network Options
{9AD2BAFE-63B4-4883-A08C-C3C6196BCAFD} Preference Tool CSE GUID Power Options
{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B] Internet Explorer Maintenance policy processing
{A3F3E39B-5D83-4940-B954-28315B82F0A8} Preference CSE GUID Folder Options
{A8C42CEA-CDB8-4388-97F4-5831F933DA84} Preference Tool CSE GUID Printers
{AADCED64-746C-4633-A97C-D61349046527} Preference CSE GUID Scheduled Tasks
{B087BE9D-ED37-454f-AF9C-04291E351182} Preference CSE GUID Registry
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A] EFS Recovery
{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} 802.3 Group Policy
{B9CCA4DE-E2B9-4CBD-BF7D-11B6EBFBDDF7} Preference Tool CSE GUID Regional Options
{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} Software Installation (Users) Run Restriction
{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} Preference CSE GUID Printers
{BEE07A6A-EC9F-4659-B8C9-0B1937907C83} Preference Tool CSE GUID Registry
{BFCBBEB0-9DF4-4c0c-A728-434EA66A0373} Preference Tool CSE GUID Network Shares
{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} Preference CSE GUID Shortcuts
{C631DF4C-088F-4156-B058-4375F0853CD8} Microsoft Offline Files
{C6DC5466-785A-11D2-84D0-00C04FB169F7] Application Management
{CAB54552-DEEA-4691-817E-ED4A4D1AFC72} Preference Tool CSE GUID Scheduled Tasks
{CC5746A9-9B74-4be5-AE2E-64379C86E0E4} Preference Tool CSE GUID Services
{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} TCPIP
{CEFFA6E2-E3BD-421B-852C-6F6A79A59BC1} Preference Tool CSE GUID Shortcuts
{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Internet Explorer Machine Accelerators
{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Policy Maker
{CF848D48-888D-4F45-B530-6A201E62A605} Preference Tool CSE GUID Start Menu
{D02B1F72-3407-48AE-BA88-E8213C6761F1} Tool Extension GUID (Computer Policy Settings)
{D02B1F73-3407-48AE-BA88-E8213C6761F1} Tool Extension GUID (User Policy Settings)
{e437bc1c-aa7d-11d2-a382-00c04f991e27] IP Security
{E47248BA-94CC-49C4-BBB5-9EB7F05183D0} Preference CSE GUID Internet Settings
{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} Preference CSE GUID Start Menu
{E5094040-C46C-4115-B030-04FB2E545B00} Preference CSE GUID Regional Options
{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} Preference CSE GUID Power Options
{F0DB2806-FD46-45B7-81BD-AA3744B32765} Policy Maker
{F17E8B5B-78F2-49A6-8933-7B767EDA5B41} Policy Maker
{F27A6DA8-D22B-4179-A042-3D715F9E75B5} Policy Maker
{f3ccc681-b74c-4060-9f26-cd84525dca2a} Audit Policy Configuration
{F581DAE7-8064-444A-AEB3-1875662A61CE} Policy Maker
{F648C781-42C9-4ED4-BB24-AEB8853701D0} Policy Maker
{F6E72D5A-6ED3-43D9-9710-4440455F6934} Policy Maker
{F9C77450-3A41-477E-9310-9ACD617BD9E3} Group Policy Applications
{FB2CA36D-0B40-4307-821B-A13B252DE56C} Enterprise QoS
{FC715823-C5FB-11D1-9EEF-00A0C90347FF} Internet Explorer Maintenance Extension protocol
{FD2D917B-6519-4BF7-8403-456C0C64312F} Policy Maker
{D76B9641-3288-4f75-942D-087DE603E3EA} AdmPwd (LAPS)
{40B6664F-4972-11D1-A7CA-0000F87571E3} Scripts (Startup/Shutdown)
{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B} Internet Explorer Branding
{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} Wireless Group Policy
{16be69fa-4209-4250-88cb-716cf41954e0} Central Access Policy Configuration
{346193F5-F2FD-4DBD-860C-B88843475FD3} ConfigMgr User State Management Extension
{426031c0-0b47-4852-b0ca-ac3d37bfcb39} QoS Packet Scheduler
{4bcd6cde-777b-48b6-9804-43568e23545d} Remote Desktop USB Redirection
{4d968b55-cac2-4ff5-983f-0a54603781a3} Work Folders
{728EE579-943C-4519-9EF7-AB56765798ED} Group Policy Data Sources
{7933F41E-56F8-41d6-A31C-4148A711EE93} Windows Search Group Policy Extension
{BA649533-0AAC-4E04-B9BC-4DBAE0325B12} Windows To Go Startup Options
{C34B2751-1CF4-44F5-9262-C3FC39666591} Windows To Go Hibernate Options
{c6dc5466-785a-11d2-84d0-00c04fb169f7} Software Installation (appmgmts.dll)
{e437bc1c-aa7d-11d2-a382-00c04f991e27} IP Security
{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} CP (gptext.dll)

 

To talk specifically about the Print Mangement settings I was working with, these were stored in Active Directory, and you could actually look at them to find out what was present. My guess is this was a legacy way to do things, that was replaced, so it was good to get that cleaned up. However, if you ever for some reason need to get this information, you can look at the object in Active Directory. In my case this was located in System>Policies>{GUID}>Machine>PushedPrinterConnections, and contained a GUID of it’s own of the type msPrint-ConnectionPolicy. By viewing the Attributes of this object you could get information about it, such as the uNCName to get the printer path. By removing the GUID of the Print Management from the GPO ({47BA4403-1AA0-47F6-BDC5-298F96D1C2E3} from the above list) this object was deleted, and gone from Group Policy Management.

Group Policy Preferences for Printers

Before my exercise there were quite a few policies for printers, each targeted linked to a single OU to assign specific printers, however this very quickly became cluttered. Replacing this with more general GPOs using Group Policy Preferences and including logic to only apply printers based on rules such as the GPO of the computer, the subnet, a security group, or the individual computer, allowed this to be much neater and much more controlled; there was however a trade-off as it became a bit more complex. Some of the things I noticed were:

  • The order of your GPPs is quite important! If you’re adding printers from scratch, or removing all printers before adding new ones, the first applied printer will become the default
  • Security Groups might not take effect without a reboot. This one caused me a bit of panic! If you add computer objects in AD to security groups, the computer won’t recognize itself as a member of that group until a reboot. So if you’re applying Group Policy Preferences based on a newly created group you’ve added computers to, be mindful
  • Printer permissions need to run in the user’s context. If you changed the permissions of the printer on the print service so that only specific people can print to it, the printer might not map using Group Policy Preferences. This is because the permissions need to run in the user’s security context, so open up the printer from your GPO and on the Common tab select “Run in logged-on user’s security context (user policy option)”

Leave a Reply

Your email address will not be published. Required fields are marked *