Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2005-12-02) Distributing Printer Connections In R2 Along With Group Filtering

Posted by Jorge on 2005-12-02


Before the summer vacation when R2 was publicly release as a beta2 I started working and testing with it. On of the things I played with was the distribution of Printer Connections along with Group Filtering.

To get distribution of printer connections working the following must be done:

* Configure the vb-script ‘PPCLogonScript.vbs’ as a LOGONSCRIPT so that when a user logs on the script will check what GPOs are in place for the computer and for the user

* Create a GPO (let’s called it ‘GPO_PRINTER-CONNECTION_COMPUTERS’) and link it to an OU with computers (let’s call that OU ‘COMPUTERS-OU’)

* Create a GPO (let’s called it ‘GPO_PRINTER-CONNECTION_USERS’) and link it to an OU with computers (let’s call that OU ‘USERS-OU’)

* Join a computer to the domain and move it computer account into the ‘COMPUTERS-OU’

* Create a simple user account in the ‘USERS-OU’

* On some server (let’s call that SERVER001) install 2 printers (let’s call them PRINTER001 and PRINTER002)

* Distribute the printer connection of PRINTER001 using GPO ‘GPO_PRINTER-CONNECTION_COMPUTERS’

* Distribute the printer connection of PRINTER002 using GPO ‘GPO_PRINTER-CONNECTION_USERS’

By default a computer account (let’s call that COMPUTER001) and a user account (let’s call that USER001) when authenticated by a DC belong to the ‘Authenticated Users’ well-known security ID. Each GPO when created and linked has ‘Authenticated Users’ assign for READ and APPLY.

(TEST 1) So when booting ‘COMPUTER001’ and logging on with ‘USER001’ I you will see two printers connections within ‘Printers and Faxes’ to \\SERVER001\PRINTER001 and \\SERVER001\PRINTER002. So far nothing happened…

Now I want the same printer connections to be distributed only to computers and users that are members of respectively the groups ‘gsg_PrinterConnectionsComputers’ and ‘gsg_PrinterConnectionsUsers’.

Using the GPMC I remove ‘Authenticated Users’ from security filtering for BOTH GPOs ‘GPO_PRINTER-CONNECTION_COMPUTERS’ and ‘GPO_PRINTER-CONNECTION_USERS’. Again using the GPMC I add ‘gsg_PrinterConnectionsComputers’ for security filtering to the GPO ‘GPO_PRINTER-CONNECTION_COMPUTERS’ and I add ‘gsg_PrinterConnectionsUsers’ for security filtering to the GPO ‘GPO_PRINTER-CONNECTION_USERS’

(TEST 2) So when booting ‘COMPUTER001’ again and logging on with ‘USER001’ I you should not see the two printers connections within ‘Printers and Faxes’ because the computer account and the user account is not a member of the filtered groups. Wrong! You will still see them. I started to investigate this and found out the vb-script queried AD for objects of the class ‘msPrintConnectionPolicy’ and although the GPOs were configured with security filtering the printer connection objects explicitly had ‘Authenticated Users’ with ‘Read All Properties’ configured and is why the script was able to see them and add them. The solution to this was easy. For security filtering to work on GPOs WITH printer connections the ‘Default Security’ of the class ‘msPrintConnectionPolicy’ had to be changed slightly. Using the Schema MMC you had to ONLY remove ‘Read All Properties’ for ‘Authenticated Users’.

With this change ALL NEW printer connection objects created after the permissions change were configured with the correct permissions so security filtering could be used for GPOs WITH printer connections. However for printer connections object created BEFORE the permissions change the permission were still the same and need to be changed to reflect the new definition of the ‘Default Security’ for the class ‘msPrintConnectionPolicy’. If you allready has created a lot of printer connection objects in AD there is a quick solution to change this, and that is by using ADFIND (from joeware.net) and DSACLS (from the Support Tools)

Run the following command to get the distinguished name of existing printer connection objects:

* AdFind.exe -b "CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" -f "(objectCategory=msPrint-ConnectionPolicy)" -dn -dsq > ReACL_ALL_msPrint-ConnectionPolicies.cmd

Open ReACL_ALL_msPrint-ConnectionPolicies.cmd with notepad and:

* Add DSACLS at the beginning of each line

* Add /S /T at the end of each line

The result for each line should be something like:

DSACLS "CN={A4028A0A-C352-4D56-AD6A-D6C3E1B005DE},CN=PushedPrinterConnections,CN=Machine,CN={E1665B10-7917-4A67-992F-2D021A6495FC},CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" /S /T

Run ReACL_ALL_msPrint-ConnectionPolicies.cmd to so the explicit permissions of all existing objects match the new definition of the ‘Default Security’ for the class ‘msPrintConnectionPolicy’.

(TEST 3) So when booting ‘COMPUTER001’ again and logging on with ‘USER001’ I you should not see the two printers connections within ‘Printers and Faxes’ because the computer account and the user account is not a member of the filtered groups. As both are not members of the groups the printer connections were removed by the group! (as it should be)

In ADUC I make ‘COMPUTER001’ a member of ‘gsg_PrinterConnectionsComputers’ and ‘USER001’ a member of ‘gsg_PrinterConnectionsUsers’.

(TEST 4) So when booting ‘COMPUTER001’ again and logging on with ‘USER001’ I you the two printers connections reappear within ‘Printers and Faxes’ because the computer account and the user account are members of the filtered groups.

In RC0 and RC1 the vb-script ‘PPCLogonScript.vbs’ was replaced by a utility called ‘pushprinterconnections.exe’

The difference in usage is:

* The utility ‘PushPrinterConnections.exe’ (available in %WINDIR%\PMCSnap) must be used in startup script (for per-machine printer connections) and/or in loginscript (for per-user printer connections) to read the printer connections in AD and add to client/user.

Using the utility ‘PushPrinterConnections.exe’ which is available instead of the vb-script the following happens when doing the same tests:

TEST 1: same behavior as using the vb-script nothing changed

ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER002. was removed from the GPO ‘GPO_PRINTER-CONNECTION_USERS’. So when rebooting and logging on again the printer connection for PRINTER002 should be gone and that happened! So nothing wrong (yet)

ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER001. was removed from the GPO ‘GPO_PRINTER-CONNECTION_COMPUTERS’ and distribution of printer connection for \\SERVER001\PRINTER002. was added again to the GPO ‘GPO_PRINTER-CONNECTION_USERS’.. So when rebooting and logging on again the printer connection for PRINTER001 should be gone and printer connection for PRINTER002 should reappear and that happened! So nothing wrong (yet)

TEST 2: same behavior as using the vb-script nothing changed

ADDITIONAL TEST: deleted all printer connections on the client and rebooted. GPOs still filtered for the groups and accounts are still not members. Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered do both printer connections should not appear

TEST 3: Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered so both printer connections should not appear

TEST 4: both connections are available. same behavior as using the vb-script nothing changed. However if I remove the accounts from the groups and reboot/loggin the printer connections should disappear. However, that does not happen!

IMHO opinion the following solutions exist:

* Please tell me what is going wrong and how achieve what I want (how does the utility ‘PushPrinterConnections.exe’ work)

* Please repair the utility ‘PushPrinterConnections.exe’

* Please give back the VB-script that worked before

If someone knows an answer to this, feel free to post!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: