A question came up this morning from a customer who wants to create a GPO that applies to a group of machines and maps specific printers to those machines and does not allow logged on users to map additional printers to those machines or remove the already mapped printers.
Unless running Windows Server 2003 R2, there isn’t a specific GPO to map printers. In R2 with the Print Management console you can configure it to have a GPO map printers. It uses a combination of GPO and an executable to push printers by user or machine as described here. Absent that I’ve always done it via login script deployed via a GPO.
In this case, the customer wanted it scoped to certain machines so we’d probably need to use a WMI filter on the GPO so it only runs the login script when the user is logging in to those machines. The sticking point is that a simple WMI filter query isn’t going to be able to query AD to see what OU the computer is in.
A way around this would be to apply a machine startup script via GPO for those machines that creates an environment variable. Then have the user login script GPO with a WMI filter looking for that environment variable. If it’s there, run the GPO login script to map printers, if not, don’t run. A little complicated but it’s really only 3 steps and a few lines of code. If WMI filtering isn’t available you could just have the login script check for the variable but it would run on all machines the user logs in to.
1. Machine startup script from GPO applied to desired computers creates an environment variable
2. User login script from GPO with a WMI Filter looking for the environment variable only runs if it’s there
3. Login script maps the appropriate printers
4. GPO (described below) disables user’s ability to add/delete printers
In the second half of the article below it outlines the GPO settings for disabling a user’s ability to both add and delete printers.
Following this methodology you should be able to mandate a set of printers that gets mapped on a machine and prohibit the user from changing the set. Of course this is much easier with Windows Server 2003 R2…