How to deploy printers using GPOs

Manually managing printers across a domain requires admins to login to every device and configure printers every time a new user joins or a printer changes. In organizations with dozens or hundreds of endpoints, this becomes a glaring issue.

GPOs allow admins to deploy printers centrally through policies, connecting shared network printers to users or machines without requiring anyone to browse a print server or run an installer. The print server hosts the printer and its driver, and the GPO tells the domain users or computers to connect to it.

There are two primary methods for configuring this in the Group Policy Management Console (GPMC):

• Using deployed printers: This is the older approach and is more prone to errors, particularly after the PrintNightmare security patches that were introduced in 2021.
• Using Group Policy preferences: This is the recommended approach for all environments as it supports item-level targeting, per user security context, and automatic removal when users leave a group and it is far less susceptible to the errors associated with the legacy method.

Prerequisites for printer deployment using GPOs

Before deploying printers using the GPMC, confirm the following are in place:

• Print server: A Windows Server with the Print and Document Service s role installed is required. The printer must be shared with a path accessible to all target users or computers. For example, in a path like \\PrintServer\OfficePrinter.
• Printer drivers: The correct driver for each printer must be installed on the print server. Ensure the driver architecture matches your client environment as unsigned or incompatible drivers are a leading cause of deployment failures, especially on Windows 11.
• Domain controller (DC) and GPMC: You need access to the GPMC on a domain controller or on a workstation with Remote Server Administration Tools (RSAT) installed.
• Permissions: The target users need at least Print permission on the shared printer and the administrators configuring the GPO need domain admin rights or delegated GPO management permissions.
• PrintNightmare patch awareness: After August 2021, Windows security patches enforce strict driver installation restrictions via the RestrictDriverInstallationToAdministrators registry policy. If standard users cannot install drivers, GPO printer deployment via the legacy Deployed Printers node will fail with Event ID 1085.

How to deploy printers using Deployed Printers

Windows provides an older, more direct method through the Print Management console for pushing printers to domain computers via the Deployed Printers node in the Group Policy Management Editor.

This method requires the printer to be shared on a print server and visible in the Print Management console. The steps below assume the print server is already set up and the printer is installed and shared.

1. On the print server or any machine with Print Management installed, press Win + R, type printmanagement.msc, and press Enter.
2. In the left pane, expand Print Servers and your server name.
3. Click Printers. You will see a list of all printers hosted on that print server. Locate the printer you want to deploy.
4. Right-click the printer and select Deploy with Group Policy.
5. This opens the Deploy with Group Policy dialog box. You will see a Group Policy Object field at the top.
6. Click the Browse button next to the Group Policy Object field. The Browse for a Group Policy Object dialog opens, showing the GPOs available in your domain. You have two options here:
• Select an existing GPO: If you already have a printer deployment GPO created, select it from the list and click OK.
• Create a new GPO: Click the New GPO icon, type a name for the new GPO, click OK, then select it from the list.
7. Once the GPO is selected, it will appear in the Group Policy Object field.
8. Below the GPO field, you will see two checkboxes. Check the one that matches your deployment intent:
• The users that this GPO applies to: The printer will be installed for specific users and it follows them to any computer they log into within the domain.
• The computers that this GPO applies to: The printer will be installed on a specific computer for all users who log into it, regardless of who they are.
9. Click Add to confirm the selection. The printer and the chosen deployment mode will appear in the list at the bottom of the dialog.
10. Click OK.
11. Open the Group Policy Management Console.
12. Locate the GPO you linked in Step 6, right-click it and select Edit to open the Group Policy Management Editor. Navigate to the path that matches your deployment mode:
• Per-user: User Configuration > Policies > Windows Settings > Deployed Printers
• Per-machine: Computer Configuration > Policies > Windows Settings > Deployed Printers
13. In the right pane, you should see the printer listed with a status of Deployed. This confirms the printer has been successfully associated with the GPO.
14. If you created a new GPO in Step 6, it may not yet be linked to an OU. Navigate back to the Group Policy Management Console, right-click the target OU and select Link an Existing GPO. Choose the GPO you just created and click OK.
15. On a client machine within the target OU, open Command Prompt as Administrator and execute the gpudpate /force command.
16. Once the update completes, navigate to Settings > Bluetooth & Devices > Printers & Scanners to find the deployed printers.

If the printer doesn't appear, run gpresult /r to confirm the GPO is being applied to the user or machine.

How to deploy printers via GPO using GPMC

Perform the following steps to create a GPO that automatically installs a shared printer for members of a specific security group when they log on to any DC.

Set up and share the printer on the print server

1. On the Windows Server acting as your print server, open the Print Management console by pressing Win + R and typing printmanagement.msc.
2. In the left pane, expand Print Servers, right-click Drivers, and select Add Driver. Depending on your Windows architecture, install the appropriate driver for your printer model. If the driver isn't listed, click Have Disk and point to the manufacturer's driver package.
3. Once the driver is installed, add the printer, right-click it, and select Printer Properties > Sharing. Give it a clear, consistent name such as, HR-ColorLaser. Make note of the full UNC path: \\YourPrintServer\HR-ColorLaser. This is the path you'll enter in the GPO.
4. Optionally, in the Sharing tab, check List in the directory to publish the printer in AD, making it discoverable by users.

Create a security group in AD

5. Open ADUC and navigate to the OU where you manage groups. Create a new Security Group and add all users in the HR department as members.
6. You can repeat this for each printer cluster. Using groups rather than individual accounts makes future maintenance straightforward and adding a user to a group is all it takes to give them a printer.

Create a new GPO

7. Open the GPMC.
8. In the left pane, expand your forest and domain, then locate the OU containing the user accounts you want to target.
9. Right-click the OU and select Create a GPO in this domain, and Link it here.
10. Enter the details and click OK.

You can manage multiple printers from a single GPO using item-level targeting. There's no need to create a separate GPO for every printer.

Editing Group Policy preferences

11. Right-click your new GPO and select Edit. In the Group Policy Management Editor, navigate to: User Configuration > Preferences > Control Panel Settings > Printers.
12. Right-click in the right pane, hover over New, and select Shared Printer.

Configure the shared printer preference item

13. In the New Shared Printer Properties dialog, navigate to the General tab and configure the following:
• Action: Set to Update. This creates the connection if it doesn't exist, or updates it if it does.
• Share path: Enter the UNC path to your shared printer. For example, \\PrintServer\HR-ColorLaser
• Optionally check Set this printer as the default printer if appropriate.
14. Navigate to the Common tab and configure the following:
• Check the Run in logged-on user's security context (user policy option) option. Without it, the printer installs in the system context, which can cause driver installation failures for standard users.
• Check Item-level targeting and click the Targeting button
15. In the Targeting Editor, click New Item and select Security Group.
16. In the Group field, type the name of your security group.
17. Click OK to close the targeting editor, then OK again to save the printer preference item.
18. Back in the Printers view, you'll see your new entry listed. Repeat the steps for each additional printer, pointing each one to its respective security group.
19. To automatically remove a printer when a user is removed from the group, go back to the Common tab of each printer preference item and check Remove this item when it no longer applies.

Force a GPO update

1. On a client machine where a test user who is a member of the group is logged in, open Command Prompt as Administrator and run the following command:
   Click to copy script

   gpupdate /force
2. Wait for the refresh to complete and navigate to Settings > Bluetooth & Devices > Printers & Scanners and confirm if the printer appears.
3. To audit which GPOs were applied, run:
   Click to copy script

   gpresult /r
4. Or for a full HTML report:
   Click to copy script

   gpresult /H C:\GPReport.html
5. Open the report and look for your printer GPO under Applied GPOs in the User section.

How to deploy printers via GPO using ADManager Plus

ADManager Plus, a GPO management and reporting tool, allows admins to create, configure, and manage GPOs without the multi-console navigation that the native workflow demands. To deploy printers via GPO using ADManager Plus:

1. Log in to ADManager Plus and navigate to the Management tab
2. In the left pane, navigate to GPO Management and click Manage GPOs.
3. From the Select Domain dropdown, choose the domain in which you want to create or manage the printer deployment GPO.
4. In the Manage GPOs page, click + Create New GPO.
5. In the dialog that appears, enter a descriptive name for the GPO.
6. Click Link Now to immediately link the GPO to one or more OUs, domains, or sites or Link Later to create the GPO without linking it, then configure settings before linking.
7. Choose the target OU(s) containing the users or computers who should receive the printer deployment, and click Create.
8. In the Manage GPOs list, locate the GPO you just created. In the Actions column, click Edit GPO Settings.
9. Alternatively, click the Scope and Delegation link of the GPO and then click Edit GPO.
10. In the left pane of the Edit GPO Settings window, expand either:
• User Configuration > Policies > Administrative Templates > Control Panel > Printers to deploy printers per user, or
• Computer Configuration > Policies > Administrative Templates > Printers to deploy printers per machine.
11. Any existing printer preference items for this GPO will be listed here.
12. Click the Common tab of the printer preference item and configure the following:
• Check Run in logged-on user's security context (user policy option)—this ensures the printer installs in the context of the logged-in user rather than the system, which is required for standard (non-admin) users to receive the printer correctly.
• Check Item-level targeting and click the Targeting Editor button.
13. In the Targeting Editor, click New Item and select Security Group. Enter the name of the security group that should receive this printer—for example, HR_Printers.
14. To automatically remove the printer when a user is removed from the group, also check Remove this item when it no longer applies.
15. Click OK to save the targeting configuration, then OK or Apply to save the printer preference item.
16. Once the printer GPO is configured and linked, you don't need to wait for the default 90-minute Group Policy refresh cycle. In ADManager Plus, navigate back to Manage GPOs, select your printer deployment GPO, and click Force GPO Update from the Manage dropdown.

Troubleshooting printer deployment issues

Even a correctly configured GPO can fail to deploy printers due to environment-specific issues. The following are some of the most common errors and their proven fixes:

• Error: Windows failed to apply the deployed printer connections settings

  Cause: This error typically logged as Event ID 1085 in the Windows System event log is the most widely reported issue in printer deployment, particularly in environments that applied PrintNightmare security patches (CVE-2021-34527). The PrintNightmare patches changed Windows defaults so that only administrators can install printer drivers. If you're deploying printers using the legacy User Configuration > Policies > Windows Settings > Deployed Printers node, standard users will fail to install the driver, and the deployment fails with this error.

  Solution: Switch to Group Policy Preferences method as it runs in the user's security context and is far less affected by the driver restriction policy. Move your printer deployment to User Configuration > Preferences > Control Panel Settings > Printers.

• GPO printer deployment not working on Windows 11

  Windows 11 enforces the strictest Point and Print security defaults of any Windows version to date. If your printer GPO works fine on Windows 10 clients but fails on Windows 11, the following checklist addresses the most common causes:

  • Use the GPP method, not the legacy Deployed Printers node

    The legacy method is unreliable on Windows 11. The steps in this guide use GPP, which works correctly.

  • Confirm driver architecture is x64

    Windows 11 is 64-bit only. If your print server has only 32-bit drivers listed, they won't install on Windows 11 clients.

  • Verify Run in logged-on user's security context is checked in the Common tab of each GPP printer item.
  • Check GPO link order

    If multiple GPOs contain printer settings and one has a conflicting configuration, the wrong GPO may be winning. Run gpresult /h and review the Applied vs. Denied GPOs list.

  • Review event viewer

    On the Windows 11 client, open Event Viewer > Windows Logs > System and filter for Event ID 1085. The detailed error text will identify whether the failure is driver-related, permission-related, or network-related.

Group Policy printer deployment best practices

These are some of the best practices that you can follow while deploying printers using Group Policies:

• Always use Group Policy Preferences to deploy printers and not the legacy Deployed Printers node.
• Deploy multiple printers from a single GPO using item-level targeting. A single GPO with item-level targeting can serve every printer in your organization.
• Use security groups for item-level targeting, never individual user accounts.
• Enable the Remove this item when it no longer applies option to automatically remove the corresponding printer from their profile at the next logon.
• Create a test OU, move a test user and test computer into it, link the GPO there, and validate the full deployment cycle before linking to production OUs.
• Outdated, unsigned, or architecture-mismatched drivers are the leading cause of deployment failures on modern Windows clients. Review and update print server drivers when major Windows updates ship, particularly feature updates that may change driver signing requirements.
• Link GPOs to the most specific OU that contains your target users or computers as linking a printer GPO at the domain root applies it to every object in the domain.
• Force update GPOs immediately after critical changes and don't wait for the 90-minute refresh.

FAQs

1. What is the difference between deploying printers via User Configuration vs. Computer Configuration in a GPO?

Deploying via User Configuration installs the printer for a specific user and follows them to any domain computer they log into. Deploying via Computer Configuration installs the printer on a specific machine for all users who log into it, regardless of who they are. You can use User Configuration for roaming employees and Computer Configuration for fixed-function workstations like reception desks or shared terminals.

2. How do I force a printer to apply immediately?

On the client machine, open Command Prompt as Administrator and run gpupdate /force to trigger an immediate Group Policy refresh. Verify the result with gpresult /r, which shows all applied GPOs for the current user and computer.

3. Can I deploy multiple printers with a single GPO?

Yes, using Group Policy Preferences with item-level targeting, you can add multiple printer entries to a single GPO, each targeting a different security group. A single GPO can serve every printer in the organization, with item-level targeting routing the right printer to the right users.

4. Does GPO printer deployment work on Windows 11?

Yes, but Windows 11 enforces stricter Point and Print security defaults following the PrintNightmare patches. Deployments using the Deployed Printers node are significantly more likely to fail on Windows 11. Using Group Policy Preferences is the reliable method for Windows 11 environments, provided the driver architecture is x64 and the Run in logged-on user's security context option is enabled.