In managed environments where AD DS is deployed,
administrators can use Group Policy to manage different aspects of the
end user's experience of installing, configuring, and using printer
connections.
You can find Group Policy
settings for managing the client-side printer experience in the
following two locations in Group Policy Object Editor:
The following sections
describe printer policy settings that are new to Windows 7 and Windows
Vista. For general information concerning printer policy settings
introduced in earlier versions of Windows that still apply to Windows 7,
see the "Group Policy Settings Reference for Windows Server 2008 R2 and
Windows 7," which can be obtained from the Microsoft Download Center (http://www.microsoft.com/downloads/).
You can also use Group
Policy Preferences in Windows 7 and Windows Server 2008 R2 to configure
local printers and to map network and TCP/IP printers. Group Policy
Preferences provide an alternative to Group Policy Policies. The main
difference between them is enforcement: policy settings are always
enforced, whereas preferences can be overridden by end users.
1. Configuring the Add Printer Wizard
You can find the following two policies that control how the Add Printer Wizard works on client computers under Computer Configuration\Policies\Administrative Templates\Printers:
Add Printer Wizard – Network Scan Page (Managed Network) This policy
sets the maximum number of printers (of each type) that the Add Printer
Wizard will display on a computer on a managed network (when the
computer is able to reach a domain controller, such as a domain-joined
laptop on a corporate network).
If
this setting is disabled, the network scan page is not displayed. If
this setting is not configured, the Add Printer Wizard displays the
default number of printers of each type:
Directory printers: 20
TCP/IP printers: 0
Web Services printers: 0
Bluetooth printers: 10
Shared printers: 0
If
you don't want to display printers of a certain type, enable this
policy and set the number of printers to display to 0. You can control
the number of printers of each type that are displayed by configuring
the settings contained in this policy, as shown in Figure 1.
Add Printer Wizard – Network Scan Page (Unmanaged Network) This policy sets the maximum number of printers
(of each type) that the Add Printer Wizard will display on a computer
on an unmanaged network (when the computer is not able to reach a domain
controller, such as a domain-joined laptop on a home network).
If
this setting is disabled, the network scan page is not displayed. If
this setting is not configured, the Add Printer Wizard displays the
default number of printers of each type:
Again,
if you don't want to display printers of a certain type, enable this
policy and set the number of printers to display to 0.
2. Disable Client-Side Printer Rendering
Administrators can also use Group
Policy to prevent printer rendering from occurring on client computers.
By default, when an application running on a Windows 7 or Windows Vista
computer sends a job to a printer hosted on a print server, the job is
rendered on the client computer before it is sent to the print server.
The following policy setting controls print job rendering behavior on
Windows 7 and Windows Vista computers:
Computer Configuration\Policies\Administrative Templates\Printers\Always Render Print Jobs On The Server
When printing through to
printers hosted on a print server, this policy determines whether the
print spooler on the client will process print jobs itself or will pass
them on to the server to do the work. This policy setting only affects
printing to a Windows print server.
If you enable this policy setting
on a client computer, the client spooler will not process print jobs
before sending them to the print server. This decreases the workload on
the client at the expense of increasing the load on the server.
If you disable this policy
setting on a client computer, the client itself will process print jobs
into printer device commands. These commands will then be sent to the
print server, and the server will simply pass the commands to the
printer. This increases the workload of the client while decreasing the
load on the server. If you do not enable this policy setting, the
behavior is the same as disabling it.
Keep the following considerations in mind when using this policy:
This policy does
not determine whether offline printing will be available to the client.
The client print spooler can always queue print jobs when not connected
to the print server. On reconnecting to the server, the client will
submit any pending print jobs.
Some
printer drivers require a custom print processor. In some cases, the
custom print processor might not be installed on the client computer,
such as when the print server does not support transferring print
processors during Point and Print. In the case of a print
processor mismatch, the client spooler will always send jobs to the
print server for rendering. Disabling the preceding policy setting does
not override this behavior.
In
cases in which the client print driver does not match the server print
driver (mismatched connection), the client will always process the print
job regardless of the setting of this policy.
3. Configuring Package Point and Print Restrictions
Windows XP SP1 and Windows Server 2003 introduced the following Group Policy setting:
User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point And Print Restrictions
This policy setting
controls the servers to which a client computer can connect for Point
and Print. A new feature of this policy setting for Windows 7 and
Windows Vista is the ability to control the behavior of UAC prompts when
installing printer drivers on Windows Vista computers using Point and
Print (see Figure 2). This policy setting applies only to non–Print Administrators clients and only to computers that are members of a domain.
When you enable the policy
setting, the client is restricted to only Point and Print to a list of
explicitly named servers. You can configure Windows 7 and Windows Vista
clients to not show security warnings or elevation prompts when users
Point and Print or when drivers for printer connections need to be
updated.
If you do not configure the policy setting:
Windows XP and Windows Server 2003 client computers can point and print to any server in their forest.
Windows Vista and later client computers can point and print to any server.
Windows Vista and later computers will show a warning and an elevation prompt when users point and print to any server.
Windows
Vista and later computers will show a warning and an elevation prompt
when a driver for an existing printer connection needs to be updated.
If you disable the policy setting:
Windows XP and Windows Server 2003 client computers can point and print to any server.
Windows Vista and later client computers can point and print to any server.
Windows Vista and later computers will not show a warning or an elevation prompt when users point and print to any server.
Windows
Vista and later computers will not show a warning or an elevation
prompt when a driver for an existing printer connection needs to be
updated.
Note that the Users Can Only
Point And Print To Machines In Their Forest setting applies only to
Windows XP SP1 (and later service packs) and Windows Server 2003.
In addition to this updated Point And Print Restrictions policy setting, Windows 7 and Windows Vista include two new policy settings related to Point and Print:
Only Use Package Point And Print
This policy restricts clients' computers to use Package Point and Print
only. If you enable this setting, users will only be able to point and
print to printers that use package-aware drivers. When using Package
Point and Print, client computers will check the driver signature of all
drivers that are downloaded from print servers. If you disable or don't
configure this setting, users will not be restricted to Package Point
and Print only.
Package Point And Print – Approved Servers
Restricts Package Point and Print to approved servers. If you enable
this setting, users will only be able to use Package Point and Print on
print servers approved by the network administrator. When using Package
Point and Print, client computers will check the driver signature of all
drivers that are downloaded from print servers. If you disable or don't
configure this setting, Package Point and Print will not be restricted
to specific print servers.
In Package Point and
Print, the complete driver package is put in the driver store on the
Windows 7 or Windows Vista client computer. All files in the printer
driver are installed on the client, and the installation process ensures
that the package is digitally signed properly before adding it to the
store. This result is a more secure form of Point and Print than found
on previous versions of Windows.
Note:
Printing from Windows Vista and later versions to print servers running earlier versions of Windows uses legacy Point and Print.
4. Extending Point and Print Using Windows Update
By default, Windows Update
is checked for a compatible driver whenever a user uses the Add Printer
Wizard to install a new printer. When a compatible in-box driver cannot
be found when Group Policy is used to deploy a printer to a client
computer, Windows Update is again checked for a compatible driver. This
failover behavior can be turned off in enterprise environments using the
following Group Policy setting, which is new in Windows 7 and Windows
Server 2008 R2:
Computer
Configuration\Policies\Administrative Templates\Printers\Extend Point
And Print Connection To Use Windows Update And Use An Alternate
Connection If Needed
If you enable or do not
configure this policy setting, the client computer will continue to
search for compatible Point and Print drivers from Windows Update after
it fails to find the compatible driver from the local driver store and
the server driver cache. If the client computer is unable to find a
compatible Point and Print driver, it will attempt to create a CSR
mismatch connection using any available driver that supports the
hardware. If you disable this policy setting, the client computer will
search only the local driver store and server driver cache for
compatible Point and Print drivers. If it is unable to find a compatible
driver, then the Point and Print connection will fail.
If this policy is enabled,
the new cross-platform Point and Print feature of Windows 7 is also
enabled. Cross-platform Point and Print is designed to allow users who
have computers running different processor architectures (x86 or x64,
for example) to share their printers easily. Cross-platform Point and
Print is designed to enable the following types of scenarios:
Karen brings home a new
Windows 7 laptop for her son to use in school. She decides to upgrade
her old Windows XP desktop to Windows 7 at the same time. She enrolls
both PCs to her new HomeGroup during the setup process. She takes her
existing inkjet printer and plugs it into her desktop system through the
USB port. A short while later, she notices that her son's laptop
already has a print queue for her office printer so he can print reports
and other documents. She is unaware of the fact that the desktop is
running an x86 version of Windows and the laptop is running an x64
version of Windows. This setup works because, in Windows 7, a user can
add a printer locally to one system in a HomeGroup, and every other PC
in the HomeGroup will search their local driver store, the print server,
and Windows Update to find a suitable driver to make a print
connection.
Tony
brings home a new Windows 7 laptop for working on personal projects. He
already has a home network set up, including an older Windows XP file
and print server in his office. After the new laptop is set up, Tony
uses the Add Printer Wizard to create a new connection to his office
printer. The new laptop is running an x64 edition of the Windows 7
Business operating system. The printer is older, and there are no in-box
drivers. Without
any prompts or elevations, the system searches Windows Update to find a
suitable driver, installs it, and creates the connection to the
printer. Tony then brings his laptop to work because he wants to use it
for a presentation. After the meeting, he is asked to print out a copy
of the slides for his manager. He navigates to the print server at work
through Windows Explorer and opens the printer. After a few minutes, it
is available to print, and he makes a copy of the slides even though
Windows Update is blocked by his company's IT department.
In business
environments, you might want to disable the automatic querying Windows
Update for compatible printer drivers, especially when Group Policy is
used to deploy printers as described in the next section. An example of a
scenario in which you disable this Group Policy setting might be the
following:
Tony is
setting up a small business computer environment for a startup. He is
using Windows 7 for all of the systems. He writes some scripts to set up
the servers, including a connection to a shared printer for printing
out logs and other reports periodically. He also uses the Print
Management console to set up the print server and push printer
connections out to all of the clients. On the first client box he tests,
he notices that it is going to Windows Update to find a print driver
for the push printer connection. This is not the behavior he wants, so
he investigates and finds out that a new feature in Windows 7 allows
clients to search Windows Update for drivers when they aren't available
on the server. He also discovers that Group Policy can be configured to
disable this failover case. He disables this policy setting and adds the
driver found on Windows Update to the print server so that the
remaining clients can use standard Point and Print.