82 lines
10 KiB
Markdown
82 lines
10 KiB
Markdown
# Cascades — Printer / VLAN 20 Migration Map (GPO planning)
|
|
|
|
Living reference for the printer migration onto Staff VLAN 20 (10.0.20.0/24) and the
|
|
eventual **printer GPO** build. Update as machines/printers migrate. Started 2026-06-30 (Howard).
|
|
|
|
## How the GPO needs to be built (two layers)
|
|
|
|
1. **Point-and-Print policy (computer GPO, fleet-wide)** — REQUIRED prerequisite or any
|
|
GPO-pushed printer fails (PrintService event 513 / error 0xBCB) for standard users.
|
|
Set on `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers`:
|
|
`RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`:
|
|
`Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0,`
|
|
`NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2` (scopes silent driver install
|
|
to CS-SERVER only). Caregiver machines already have this — that's why their printer GPO
|
|
works. Set manually 2026-06-30 on DESKTOP-ROK7VNM + DESKTOP-DLTAGOI; needs to be a GPO.
|
|
2. **Printer deployment** — GPP Printers / Deployed Printers mapping `\\CS-SERVER\<share>`
|
|
to the right users/OU/room. Existing GPO `CSC - Life Enrichment Printers` likely still
|
|
points at OLD share names — repoint. `CSC - Printer Deployment` is disabled/empty (do not use).
|
|
|
|
**Driver trap:** Canon MF741/743 are **UFR II only** — PCL6 produces Error #822 (spools, never
|
|
prints). Any GPO/share for those Canons MUST use `Canon Generic Plus UFR II V250` (INF cnlb0ma64.inf).
|
|
|
|
## Printer / machine map
|
|
|
|
| Printer (share / name) | Model | IP (VLAN20) | Driver | Machine | User(s) | Domain? | Status / GPO action |
|
|
|---|---|---|---|---|---|---|---|
|
|
| `\\CS-SERVER\FrontDesk` | Epson ET-5800 | 10.0.20.221 | EPSON ET-5800 Series | RECEPTIONIST-PC (frontdesk box, S/N MJ0KQHNP) | frontdesk | Domain (cascades.local) | DONE — share repointed, mapped, default. Add to GPO. |
|
|
| `\\CS-SERVER\LifeEnrichment` | Canon MF741CDW | 10.0.20.94 | Canon Generic Plus UFR II V250 | DESKTOP-DLTAGOI; DESKTOP-ROK7VNM | sharon.edwards; susan.hicks | Domain | DONE — UFR II driver fixed, mapped (not default). **Repoint `CSC - Life Enrichment Printers` GPO from old `1F-132-RecRoom-Canon` to `LifeEnrichment`.** |
|
|
| Dining Room Manager - Canon MF743CDW | Canon MF743CDW (MF741C/743C) | 10.0.20.228 | Canon Generic Plus UFR II V250 | DESKTOP-MD6UQI3 | dining manager (Alyssa) | **WORKGROUP — not domain-joined yet** | DONE as direct-IP (local) printer, default. **TODO: when DESKTOP-MD6UQI3 is domain-joined, add this printer to the GPO and map it to Alyssa's domain account.** |
|
|
| Chef Office - Brother MFC-9330CDW | Brother MFC-9330CDW | 10.0.20.236 | Brother MFC-9330CDW Printer | CHEF-PC | chef (all users) | **WORKGROUP — not domain-joined** | DONE as direct-IP (machine-wide / all users), default. **TODO: add to GPO + map to chef's domain account once CHEF-PC is domain-joined.** This is the Chef's printer in the Chef's office (distinct from the kitchen printer with the chefs). |
|
|
| Memory Care Front Desk - Epson ET-5800 (`\\CS-SERVER\MCReception`) | Epson ET-5800 | 10.0.20.78 | EPSON ET-5800 Series | MEMRECEPT-PC | memfrtdesk (+ other MemCare front-desk staff) | **WORKGROUP — not domain-joined** | Already shared on CS-SERVER as `MCReception`. Machine currently has the Epson via OLD vendor/WSD ports (`EP833571:ET-5800 SERIES` + WSD), NOT the static .78 — needs direct-IP to 10.0.20.78. **Mark for GPO: MemCare front-desk users (mostly the memfrtdesk machine). TODO: add to GPO + map to domain accounts once domain-joined.** |
|
|
| Memory Care MedTech - Brother MFC-L8900CDW (`\\CS-SERVER\MCMedTech`) | Brother MFC-L8900CDW | 10.0.20.74 | Brother MFC-L8900CDW series | RECEPTIONIST-PC (memcare box → **rename to MEMCARE-***); DESKTOP-LPOPV30 | memory care; karen rossini | **WORKGROUP** | DONE direct-IP machine-wide on both; old 192.168.2.53 + WSD connections removed; LPOPV30 default = new printer (was the old one); memcare box default unchanged (iR-ADV). MedTech room in Memory Care. **TODO: GPO + domain accounts once joined.** |
|
|
| `\\CS-SERVER\Kitchen` | Canon MF743CDW | 192.168.3.232 (pre-migration) | (verify) | (kitchen) | chefs | — | Kitchen printer (with the chefs). Not yet migrated to VLAN20 this round. |
|
|
|
|
## Current GPO state (live-inspected 2026-06-30)
|
|
|
|
- **NO GPO sets the Point-and-Print policy** (`RestrictDriverInstallationToAdministrators` / Point-and-Print Restrictions / Package Point and Print). This is the missing **Layer 1** — without it, GPP-deployed printers fail to install the driver for standard users (event 513 / 0xBCB). Must be added.
|
|
- Printer deployment is via **User-side GPP Printers** (not Deployed Printers / not GPP Computer), linked per-department OU:
|
|
- **CSC - Caregiver Workstation** -> OU `Departments/Caregivers` (ComputerSettingsDisabled; User GPP Printers + Registry + Shortcuts). Deploys 6 shares (action=Update): `\\CS-SERVER\NursesPrinter`, `HealthServices`, `MCMedTech`, `MCReception`, `MCDirector`, `CopyRoom`; sets default = NursesPrinter and MCMedTech (the two default=1 entries; intended per-location but no item-level targeting currently parsed).
|
|
- **CSC - Life Enrichment Printers** -> OU `Departments/Life Enrichment`. Deploys ONE printer `\\CS-SERVER\RecRoom-Canon` (action=Update, no targeting) — **STALE share name; the printer is now shared as `LifeEnrichment`**.
|
|
- **CSC - Reception Workstation Policy** -> OU `Workstations/Staff PCs`. Computer Registry only, no printers.
|
|
- **CSC - Printer Deployment** -> not linked, empty. Dead — ignore.
|
|
- AD OU structure in play: `Departments/{Caregivers, Life Enrichment}`, `Workstations/Staff PCs`.
|
|
|
|
## Target-state design + action list
|
|
|
|
**Layer 1 — Point-and-Print policy (NEW computer GPO, fleet-wide).** Create e.g. `CSC - Point and Print (CS-SERVER)`, Computer config, set:
|
|
`HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers` `RestrictDriverInstallationToAdministrators=0`; subkey `PointAndPrint`: `Restricted=1, TrustedServers=1, ServerList=CS-SERVER, InForest=0, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2`. Link at the OU that contains all staff/department workstations (e.g. `Workstations` and/or `Departments`). This makes every GPP/printer install from CS-SERVER silent for standard users. (Same values we set manually on the LE machines this session.)
|
|
|
|
**Layer 2 — per-department printer GPOs (existing pattern, User GPP Printers).** To add a printer going forward: edit the department's GPO -> User Config -> Preferences -> Control Panel Settings -> Printers -> add a **Shared Printer** item, action=Update/Create, path `\\CS-SERVER\<share>`, optional Set this printer as the default + item-level targeting (by security group / location) if needed. Link the GPO to the department OU.
|
|
|
|
**Immediate fixes identified:**
|
|
1. CREATE the Layer-1 Point-and-Print GPO (above) and link it. (Prerequisite — do first.)
|
|
2. REPOINT `CSC - Life Enrichment Printers` from `\\CS-SERVER\RecRoom-Canon` -> `\\CS-SERVER\LifeEnrichment`.
|
|
3. UPDATE the CS-SERVER share ports to the new VLAN20 static IPs so the GPO-deployed shares actually print: `MCMedTech` -> 10.0.20.74 (currently 192.168.2.53), `MCReception` -> 10.0.20.78, and audit `NursesPrinter`/`HealthServices`/`MCDirector`/`CopyRoom` ports as those printers migrate. (Front Desk + Life Enrichment shares already repointed this session.)
|
|
4. Confirm caregiver default-printer item-level targeting (Nurses vs MCMedTech by location group) is intact, or re-add it.
|
|
5. Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) get direct-IP printers until domain-joined; then move them into the right OU and let the GPO take over.
|
|
|
|
## PILOT RESULT (2026-06-30) — important
|
|
|
|
Created `CSC - Point and Print (CS-SERVER)` GPO, scoped it (security filter) to ONE machine **DESKTOP-H6QHRR7** (Lauren Hasselman, Staff PCs OU), linked, `gpupdate`. **The policy registry landed correctly via GPO** (RestrictDriverInstallationToAdministrators=0 + full PointAndPrint set verified on the machine).
|
|
|
|
**BUT the in-session test still PROMPTED:** mapping a printer whose driver was NOT already on the machine (front-desk Epson ET-5800) triggered the elevation prompt for the standard user, even after a spooler restart — the driver did not install. The earlier LE-machine "silent" maps only worked because that driver was already present (we never actually exercised the install path).
|
|
|
|
**Conclusion:** the Point-and-Print policy via GPO is necessary but NOT sufficient on its own to make a *brand-new driver install* silent in a running session. Likely causes: `RestrictDriverInstallationToAdministrators=0` needs a **reboot** to fully take effect (it's a CVE-2021-34527 mitigation), and/or v3 (non-package) drivers (Epson/Canon Generic Plus) still elevate.
|
|
|
|
**Two reliable paths (to validate/decide):**
|
|
1. **Reboot-dependent:** policy likely only fully effective after the machine reboots (spooler starts with it). Test: reboot a machine, then confirm a new-driver map is silent. Normal for GPO rollout, but unproven for v3 drivers here.
|
|
2. **Pre-stage drivers (most reliable, recommended):** deploy each printer's driver machine-wide (computer GPO startup script installing from CS-SERVER as SYSTEM, or the direct-IP/SYSTEM method we used on workgroup boxes). Then the User GPP printer connection attaches to an already-present driver -> always silent, no reboot/point-and-print-install dependency.
|
|
|
|
**State:** GPO is scoped to DESKTOP-H6QHRR7 only (harmless; not fleet-live). Lauren's machine cleaned (no test artifacts). NOT yet rolled out. Next: decide reboot-test vs pre-stage-drivers, then go live.
|
|
|
|
## Machine rename TODO
|
|
- **RECEPTIONIST-PC** (the Memory Care box, "memory care" user, S/N MJ0KQH4R, agent 57f19e17) shares its hostname with the front-desk RECEPTIONIST-PC box — too hard to tell apart in the agent list. **Rename STAGED 2026-06-30 -> `MEMCARE-STATION`; applies on next reboot** (not forced; user was active). The OTHER RECEPTIONIST-PC (frontdesk user, S/N MJ0KQHNP) is the actual front desk.
|
|
|
|
## Notes
|
|
- Workgroup machines (DESKTOP-MD6UQI3, CHEF-PC) get **direct-IP local printers** for now
|
|
(no domain auth / no point-and-print needed). Once domain-joined, switch them to the
|
|
GPO-deployed `\\CS-SERVER\<share>` model and map to the domain account.
|
|
- Detailed how-to + pfSense routing fix: `.claude/memory/project_cascades_vlan20_migration_routing.md`
|
|
and session log `clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md`.
|