Problem with GPP installing TCP/IP printers to users and Logging and Questions

[chmorrow]

I am having two issues and a few questions. The first has to do with the fact that the printers being pushed by GPP are not installing consistently on machines. I first saw the problem with Windows XP Pro 32-bit after having setup about 65 printers on the print server. It happens both when I manually refresh group policy on the machine and when the machine refreshes on its own. On Windows XP, I have been getting errors like, “Remote Procedure Call Failed”, “Catastrophic Failure”, and “Security ID not assigned”. The errors do not always happen on the same printers, and even the same user might get a different result of which printers install when logging into a new computer. When I first set the printer installs up, I was not seeing any issues. It is only now that I am trying to actually use the GPPs to deploy to more people that the issues are cropping up. I thought Windows 7 Pro 64-bit wasn’t having the issue, but then noticed it happening as well. I do not see any indication of why the printers aren’t installing on Windows 7 though. All XP users have local administrative permissions. I also have disabled the Group Policy setting for Point and Print Restrictions, and have it set at both the computer and user level. The TCP/IP printers are being configured at the user level in the GPPEs. If the printer install fails, sometimes the driver installs when manually clicking on the printer on the server. Sometimes I get a Connection Refused error which matches with the errors seen on XP for the user. Things are just not consistent.

So I decided to go ahead and enable the logging and tracing facility using Group Policy at the Computer level. I see the settings are set on the clients with GPResult, but I cannot find the log files anywhere on the machines. I have questioned the fact that %APPDATAFOLDER% doesn’t seem to evaluate at a command prompt as being a cause for the issue, but I do see the folders setup on the computer where the log files should be.

I am using Windows Server 2008 R2 with SP1 to host the printers and drivers. We are using Windows Server 2003 (not R2) for AD services. Would the version of AD schema we’re using be a source of the issues? Can anyone shed some light on either issue I am having?

Once the Group Policy central store has been updated, will all Group Policies contains the new settings and preferences? When I went to initially enable the logging and tracing options, I did not see them. I updated the files from the Windows Server 2008 R2 admin templates and was then able to turn those settings on.

Thanks in advance,

Chris

[chmorrow]

If I can get some help to figure out why the logging and tracing isn't working, then maybe I can solve the issue of why the printers aren't consistently installing.

Any ideas or insight or questions?

Chris

[trekker]

First off, setting the Point and Print restriction for both the Computer and the User is redundant. I would pick one and use it; I usually set it on the Computer side. Second, your schema level shouldn't have anything directly to do with this problem unless there's just something I'm not thinking of.

What system are you using for managing Group Policy? You need to be consistently using the same version of the Group Policy Management Console (GPMC) to edit your GPO's. Creating a policy on Vista and then editing on XP is just going to cause potential headaches. You need to be using a Win7 or Win2008R2 box with the latest Service Pack and latest version of the GPMC every single time you edit your GPO's.

Let's start with your print server. Did you make sure to install the x86 drivers for all of your printers? Windows Server 2008R2 is a 64-bit OS; if 32-bit clients are going to be connecting to it to print, you'll need the 32-bit drivers installed. Second, are users able to go to the server UNC path, \\printserver, and connect to the printers manually or are they receiving errors? If they can map the printers manually, then it is a problem with your GPO's; if they cannot map the printers manually, then it is some other problem.

[chmorrow]

I had the Point and Print restriction set for the computer and saw people saying that it's better to set it on both user and computer. It would seem to not affect anything as long as the two settings are the same. The behavior hasn't changed since I added it on the user side.

My biggest problem right now is understanding why the Group Policy Logging and Tracing for the Group Policy Preference Extensions to install TCP/IP printers isn't working. If I can get that working, I can probably figure out what's going on with the actual installs failing.

I have been using the same platform with GPMC (2.0) since I started creating and editing the Group Policies. I am using Windows 7 Enterprise with SP1. I read Jeremy's book and have made sure that I am not using platforms that are older for editing policies.

I have loaded x86 drivers for all the printers the server is sharing. When I first started testing the installation of the printers, things worked just fine on both Windows 7 x64 and XP x86. It's only now that I am trying to roll the printers out to a wider audience, that issues with the installs are coming up. As I posted in my first post in the thread, I am getting lots of different errors and things are just not consistent. On one computer, the Canon printer will install for a user but not the Canon fax. On another machine of the same type and operating system, the Canon printer will not install for the same user, but the Canon fax will. One user will get Security ID not assigned for a printer, while another will Remote Procedure Call failed for the same printer when it doesn't install.

I have read this could be related to permissions on the print server, but have found very little information regarding this issue and it's fix. I have also read that enabling the logging facility can help troubleshoot these issues, but the logging isn't working.

Sometimes the printer will install manually from the print server for a user, but other times it doesn't. I have tested logging in as a user on a newly imaged machine with Windows 7 and some Canon printers install, but on another freshly imaged machine, other printers installed, but not the same set as on the first the machine (only a subset of all the printers they should have). Connecting to the printer manually from one computer works as a user, while on another machine, I get a Connection Error message that isn't particularly helpful. Logging and tracing information would be helpful here to determine what's going on, but I can't find it on any of the computers even though it has been enabled and the client has the setting and has created the folder structure, but the log files are not in location that has been defined.

Chris

[chmorrow]

My biggest problem right now is understanding why the Group Policy Logging and Tracing for the Group Policy Preference Extensions to install TCP/IP printers isn't working. If I can get that working, I can probably figure out what's going on with the actual installs failing.

Policy Setting Comment
Printers preference extension policy processing Enabled
Allow processing across a slow network connection Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
Background priority Idle


System/Group Policy/Logging and tracinghide
Policy Setting Comment
Configure Printers preference logging and tracing Enabled
Event logging Informational, Warnings and Errors
Tracing On
User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User. log
Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Compu ter.log
Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Plann ing.log
Maximum size of trace file (KB) 1024

[chmorrow]

Here's a specific case where I don't understand the errors:

Logged user into Windows XP x86 Pro computer. Some TCP/IP printers installed on the computer, so I reviewed the event logs for errors.

The two errors I got are:

The user 'W.X.Y.Z' preference item in the 'HQ - 2nd Floor Departments {C1D01FCC-86FE-4243-9149-8214FC358942}' Group Policy object did not apply because it failed with error code '0x8007051b This security ID may not be assigned as the owner of this object.' This error was suppressed.

The user 'W.X.Y.R' preference item in the 'Development Dept {1289085D-AA67-456D-93D4-B7F24A179964}' Group Policy object did not apply because it failed with error code '0x8000ffff Catastrophic failure' This error was suppressed.

Manually installed both printers from the server without any issues. So I am guessing you will say that the issue is GP related, but what does the errors mean and how do I resolve them?

[chmorrow]

OK. I have gotten the logging functionality working and it only helps somewhat to figure out the issue. I had to change where I was applying the settings for the logging functionality. I have also removed the settings for Point and Print Restrictions to the same GPO and applied only on the computer side. I had to Enable Point and Print Restrictions with the it set to not prompt the user when installing a driver because I was seeing Windows 7 computers saying they couldn't find the driver and when manually installing, it asked if it should install the driver.

The question I now have is when a computer has not gotten the TCP/IP printer installed properly (I see the port has been created, but the driver was missing and the printer was not created), how do I get the computer to install the printer properly without going back and unchecking the Apply once checkbox for each printer object? I have the "Process even if the Group Policy objects have not changed" set to Enabled, but the objects are not actually installing unless I change the property on the Printer object in the Preferences to not install only once.

Also, I have not noticed a difference in whether or not the printers install depending on the setting "Run in logged-on user's security context (user policy option)". Can someone explain how this setting really works? Many users have said this setting should be enabled, but I have not noticed that in my testing.

Thanks,

Chris

Policy Setting Comment
Point and Print Restrictions Enabled
Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons xxx.yyy.zzz
Users can only point and print to machines in their forest Enabled

Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt
This setting only applies to:
Windows Vista and later


System/Group Policyhide
Policy Setting Comment
Printers preference extension policy processing Enabled
Allow processing across a slow network connection Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
Background priority Idle


System/Group Policy/Logging and tracinghide
Policy Setting Comment
Configure Printers preference logging and tracing Enabled
Event logging Informational, Warnings and Errors
Tracing On
User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User. log
Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Compu ter.log
Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Plann ing.log
Maximum size of trace file (KB) 1024

[chmorrow]

I am going to reply to myself because I feel I have not found much information about these issues and I have googled the error messages quite a bit in search for information about what I was doing wrong. I had been getting the error "The user 'W.X.Y.Z' preference item in the 'HQ - 2nd Floor Departments {C1D01FCC-86FE-4243-9149-8214FC358942}' Group Policy object did not apply because it failed with error code '0x8007051b This security ID may not be assigned as the owner of this object.' This error was suppressed." and was unsure of what was causing it.

I asked a question in my last post related to the option to "Run in logged-on user's security context (user policy option)" and found that the printers that were failing with this error message about the security ID may not be assigned were ones where this option was turned on. I found that by unchecking that option to disable it fixed the issue where the printers were not installing and throwing the error.

At this point, I seem to be pretty close to having the printer installs working consistently. I had been trying different settings in different GPOs and have started unifying things with the settings that appear to work correctly. Maybe someone else will find this information useful as I will continue to post until this stuff is fully working.

[chmorrow]

OK. I have a Windows XP x86 machine where the printer installs were failing. I have seen the installs working properly on other computers now, so I tried to have the machine install the missing drivers specified in the GPO that applies to them. The printer port installed but now I am getting an error:
The user 'xxx.yyy.zzz.aaa' preference item in the 'HQ - 2nd Floor Departments {C1D01FCC-86FE-4243-9149-8214FC358942}' Group Policy object did not apply because it failed with error code '0x800706be The remote procedure call failed.' This error was suppressed.

I tried clearing the Group Policy\History folder and removed the ports, but the printer didn't install and the ports are no longer there. I found that I had to uncheck and disable the option "Apply once and do not reapply" to get this error to go away and for the printer to install properly. Hope this helps someone else out there...

[chmorrow]

OK. I saw this error yesterday with our Windows 7 machines. After all the other errors, I am now getting a different error, and it doesn't happen for the same printers each time. I have a GPO with all the printers in it for all of the printers in our company (64 or so). These printers are installed on the Helpdesk technician's computers and after working through all of the errors for other users, I am seeing "The user 'www.xxx.yyy.zzz' preference item in the 'Printer Testing {26265F44-DB11-4BF4-B29E-9554625FCCAF}' Group Policy object did not apply because it failed with error code '0x8007007e The specified module could not be found.' This error was suppressed."

Forcing a group policy update on the machines produces the error with a different printer each time it is run. Any ideas what is causing this error now?