Files
claudetools/clients/cascades-tucson/docs/printer-gpo-map.md
Howard Enos ab640dfe77 sync: auto-sync from HOWARD-HOME at 2026-06-30 17:28:00
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-30 17:28:00
2026-06-30 17:28:36 -07:00

10 KiB

Cascades — Printer / VLAN 20 Migration Map (GPO planning)

Living reference for the printer migration onto Staff VLAN 20 (10.0.20.0/24) and the eventual printer GPO build. Update as machines/printers migrate. Started 2026-06-30 (Howard).

How the GPO needs to be built (two layers)

  1. Point-and-Print policy (computer GPO, fleet-wide) — REQUIRED prerequisite or any GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users. Set on HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers: RestrictDriverInstallationToAdministrators=0; subkey PointAndPrint: Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2 (scopes silent driver install to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO works. Set manually 2026-06-30 on DESKTOP-ROK7VNM + DESKTOP-DLTAGOI; needs to be a GPO.
  2. Printer deployment — GPP Printers / Deployed Printers mapping \\CS-SERVER\<share> to the right users/OU/room. Existing GPO CSC - Life Enrichment Printers likely still points at OLD share names — repoint. CSC - Printer Deployment is disabled/empty (do not use).

Driver trap: Canon MF741/743 are UFR II only — PCL6 produces Error #822 (spools, never prints). Any GPO/share for those Canons MUST use Canon Generic Plus UFR II V250 (INF cnlb0ma64.inf).

Printer / machine map

Printer (share / name) Model IP (VLAN20) Driver Machine User(s) Domain? Status / GPO action
\\CS-SERVER\FrontDesk Epson ET-5800 10.0.20.221 EPSON ET-5800 Series RECEPTIONIST-PC (frontdesk box, S/N MJ0KQHNP) frontdesk Domain (cascades.local) DONE — share repointed, mapped, default. Add to GPO.
\\CS-SERVER\LifeEnrichment Canon MF741CDW 10.0.20.94 Canon Generic Plus UFR II V250 DESKTOP-DLTAGOI; DESKTOP-ROK7VNM sharon.edwards; susan.hicks Domain DONE — UFR II driver fixed, mapped (not default). Repoint CSC - Life Enrichment Printers GPO from old 1F-132-RecRoom-Canon to LifeEnrichment.
Dining Room Manager - Canon MF743CDW Canon MF743CDW (MF741C/743C) 10.0.20.228 Canon Generic Plus UFR II V250 DESKTOP-MD6UQI3 dining manager (Alyssa) WORKGROUP — not domain-joined yet DONE as direct-IP (local) printer, default. TODO: when DESKTOP-MD6UQI3 is domain-joined, add this printer to the GPO and map it to Alyssa's domain account.
Chef Office - Brother MFC-9330CDW Brother MFC-9330CDW 10.0.20.236 Brother MFC-9330CDW Printer CHEF-PC chef (all users) WORKGROUP — not domain-joined DONE as direct-IP (machine-wide / all users), default. TODO: add to GPO + map to chef's domain account once CHEF-PC is domain-joined. This is the Chef's printer in the Chef's office (distinct from the kitchen printer with the chefs).
Memory Care Front Desk - Epson ET-5800 (\\CS-SERVER\MCReception) Epson ET-5800 10.0.20.78 EPSON ET-5800 Series MEMRECEPT-PC memfrtdesk (+ other MemCare front-desk staff) WORKGROUP — not domain-joined Already shared on CS-SERVER as MCReception. Machine currently has the Epson via OLD vendor/WSD ports (EP833571:ET-5800 SERIES + WSD), NOT the static .78 — needs direct-IP to 10.0.20.78. Mark for GPO: MemCare front-desk users (mostly the memfrtdesk machine). TODO: add to GPO + map to domain accounts once domain-joined.
Memory Care MedTech - Brother MFC-L8900CDW (\\CS-SERVER\MCMedTech) Brother MFC-L8900CDW 10.0.20.74 Brother MFC-L8900CDW series RECEPTIONIST-PC (memcare box → rename to MEMCARE-*); DESKTOP-LPOPV30 memory care; karen rossini WORKGROUP DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. TODO: GPO + domain accounts once joined.
\\CS-SERVER\Kitchen Canon MF743CDW 192.168.3.232 (pre-migration) (verify) (kitchen) chefs Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round.

Current GPO state (live-inspected 2026-06-30)

  • NO GPO sets the Point-and-Print policy (RestrictDriverInstallationToAdministrators / Point-and-Print Restrictions / Package Point and Print). This is the missing Layer 1 — without it, GPP-deployed printers fail to install the driver for standard users (event 513 / 0xBCB). Must be added.
  • Printer deployment is via User-side GPP Printers (not Deployed Printers / not GPP Computer), linked per-department OU:
    • CSC - Caregiver Workstation -> OU Departments/Caregivers (ComputerSettingsDisabled; User GPP Printers + Registry + Shortcuts). Deploys 6 shares (action=Update): \\CS-SERVER\NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom; sets default = NursesPrinter and MCMedTech (the two default=1 entries; intended per-location but no item-level targeting currently parsed).
    • CSC - Life Enrichment Printers -> OU Departments/Life Enrichment. Deploys ONE printer \\CS-SERVER\RecRoom-Canon (action=Update, no targeting) — STALE share name; the printer is now shared as LifeEnrichment.
    • CSC - Reception Workstation Policy -> OU Workstations/Staff PCs. Computer Registry only, no printers.
    • CSC - Printer Deployment -> not linked, empty. Dead — ignore.
  • AD OU structure in play: Departments/{Caregivers, Life Enrichment}, Workstations/Staff PCs.

Target-state design + action list

Layer 1 — Point-and-Print policy (NEW computer GPO, fleet-wide). Create e.g. CSC - Point and Print (CS-SERVER), Computer config, set: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers RestrictDriverInstallationToAdministrators=0; subkey PointAndPrint: Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2. Link at the OU that contains all staff/department workstations (e.g. Workstations and/or Departments). This makes every GPP/printer install from CS-SERVER silent for standard users. (Same values we set manually on the LE machines this session.)

Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers). To add a printer going forward: edit the department's GPO -> User Config -> Preferences -> Control Panel Settings -> Printers -> add a Shared Printer item, action=Update/Create, path \\CS-SERVER\<share>, optional Set this printer as the default + item-level targeting (by security group / location) if needed. Link the GPO to the department OU.

Immediate fixes identified:

  1. CREATE the Layer-1 Point-and-Print GPO (above) and link it. (Prerequisite — do first.)
  2. REPOINT CSC - Life Enrichment Printers from \\CS-SERVER\RecRoom-Canon -> \\CS-SERVER\LifeEnrichment.
  3. UPDATE the CS-SERVER share ports to the new VLAN20 static IPs so the GPO-deployed shares actually print: MCMedTech -> 10.0.20.74 (currently 192.168.2.53), MCReception -> 10.0.20.78, and audit NursesPrinter/HealthServices/MCDirector/CopyRoom ports as those printers migrate. (Front Desk + Life Enrichment shares already repointed this session.)
  4. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group) is intact, or re-add it.
  5. Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) get direct-IP printers until domain-joined; then move them into the right OU and let the GPO take over.

PILOT RESULT (2026-06-30) — important

Created CSC - Point and Print (CS-SERVER) GPO, scoped it (security filter) to ONE machine DESKTOP-H6QHRR7 (Lauren Hasselman, Staff PCs OU), linked, gpupdate. The policy registry landed correctly via GPO (RestrictDriverInstallationToAdministrators=0 + full PointAndPrint set verified on the machine).

BUT the in-session test still PROMPTED: mapping a printer whose driver was NOT already on the machine (front-desk Epson ET-5800) triggered the elevation prompt for the standard user, even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present (we never actually exercised the install path).

Conclusion: the Point-and-Print policy via GPO is necessary but NOT sufficient on its own to make a brand-new driver install silent in a running session. Likely causes: RestrictDriverInstallationToAdministrators=0 needs a reboot to fully take effect (it's a CVE-2021-34527 mitigation), and/or v3 (non-package) drivers (Epson/Canon Generic Plus) still elevate.

Two reliable paths (to validate/decide):

  1. Reboot-dependent: policy likely only fully effective after the machine reboots (spooler starts with it). Test: reboot a machine, then confirm a new-driver map is silent. Normal for GPO rollout, but unproven for v3 drivers here.
  2. Pre-stage drivers (most reliable, recommended): deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM, or the direct-IP/SYSTEM method we used on workgroup boxes). Then the User GPP printer connection attaches to an already-present driver -> always silent, no reboot/point-and-print-install dependency.

State: GPO is scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). Lauren's machine cleaned (no test artifacts). NOT yet rolled out. Next: decide reboot-test vs pre-stage-drivers, then go live.

Machine rename TODO

  • RECEPTIONIST-PC (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. Rename STAGED 2026-06-30 -> MEMCARE-STATION; applies on next reboot (not forced; user was active). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk.

Notes

  • Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC) get direct-IP local printers for now (no domain auth / no point-and-print needed). Once domain-joined, switch them to the GPO-deployed \\CS-SERVER\<share> model and map to the domain account.
  • Detailed how-to + pfSense routing fix: .claude/memory/project_cascades_vlan20_migration_routing.md and session log clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md.