Macintosh Printer Management using Centrify DirectControl Group Policies



Similar documents
Using Apple Remote Desktop to Deploy Centrify DirectControl

Centralized Mac Home Directories with ExtremeZ-IP

Managing UNIX Generic and Service Accounts with Active Directory

Creating Home Directories for Windows and Macintosh Computers

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

An Overview of Samsung KNOX Active Directory and Group Policy Features

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Deploying the Workspace Application for Microsoft SharePoint Online

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Google Apps Deployment Guide

How to Secure a Groove Manager Web Site

Automating client deployment

WINDOWS 7 & HOMEGROUP

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Using Mac OS X 10.7 Filevault with Centrify DirectControl

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Getting Started with Microsoft Office Live Meeting. Published October 2007 Last Update: August 2009

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Getting Started with Microsoft Office Live Meeting. Published October 2007

Hyper-V Server 2008 Setup and Configuration Tool Guide

All other trademarks are property of their respective owners.

AD RMS Step-by-Step Guide

DriveLock Quick Start Guide

Connector for Microsoft Dynamics Configuration Guide for Microsoft Dynamics SL

Overview of Microsoft Office 365 Development

Installing Microsoft Exchange Integration for LifeSize Control

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Active Directory Provider User s Guide

Active Directory and DirectControl

Centrify-Enabled Samba

EventTracker: Support to Non English Systems

Apple Server Diagnostics User Guide. For Version 3X106

Monitor Print Popup for Mac. Product Manual.

M86 Authenticator USER GUIDE. Software Version: Document Version:

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Collaboration Technology Support Center Microsoft Collaboration Brief

6) Click the lock in the lower left corner of the Directory Utility Window and authenticate with the local administrator account s credentials.

The cloud server setup program installs the cloud server application, Apache Tomcat, Java Runtime Environment, and PostgreSQL.

File and Printer Sharing with Microsoft Windows

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Configuring IBM Cognos Controller 8 to use Single Sign- On

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the

AppleShare Client User s Manual

CRM to Exchange Synchronization

Windows Server Update Services 3.0 SP2 Step By Step Guide

Xerox 700 Digital Color Press with Integrated Fiery Color Server. Printing from Mac OS

Windows Scheduled Tasks Management Pack Guide for System Center Operations Manager. Published: 07 March 2013

Microsoft FTP Configuration Guide for Helm 4

Centrify Identity Service and Mac - Online Training

The question becomes, How does the competent Windows IT professional open up their print server to their Mac clients?

Pipeliner CRM Phaenomena Guide Importing Leads & Opportunities Pipelinersales Inc.

Enabling Backups for Windows and MAC OS X

Configuring Active Directory Binding for OS X (10.4.x) within Miami Dade Schools

Using Internet or Windows Explorer to Upload Your Site

Other documents in this series are available at: servernotes.wazmac.com

Instructions for Adding a MacOS 10.4.x Client to ASURITE

DECS DER APPLE WIRELESS HELPER DOCUMENT

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Apple Mail Setup Guide (POP3)

DocuPrint C3290 FS Features Setup Guide

Business Portal for Microsoft Dynamics GP. Key Performance Indicators Release 10.0

Other documents in this series are available at: servernotes.wazmac.com

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Centrify Mobile Authentication Services

Microsoft Dynamics GP. Electronic Signatures

RedBlack CyBake Online Customer Service Desk

Xerox 700 Digital Color Press with Integrated Fiery Color Server. Utilities

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Microsoft Dynamics GP. Engineering Data Management Integration Administrator s Guide

User Guide. Live Meeting. MailStreet Live Support:

Setting Up Scan to SMB on TaskALFA series MFP s.

Print Management. User's Guide

PRINT CONFIGURATION. 1. Printer Configuration

Windows BitLocker Drive Encryption Step-by-Step Guide

Create!form Folder Monitor. Technical Note April 1, 2008

Centrify Identity and Access Management for Cloudera

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

MULTIFUNCTIONAL DIGITAL SYSTEMS. Network Fax Guide

Centrify Mobile Authentication Services for Samsung KNOX

User Self-Service Configuration Overview

VERITAS NetBackup 6.0

Quick Start Guide for VMware and Windows 7

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

WatchDox for Windows User Guide. Version 3.9.0

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Management Reporter Integration Guide for Microsoft Dynamics GP

Business Portal for Microsoft Dynamics GP. Project Time and Expense Administrator s Guide Release 10.0

Computer Science and Engineering MacOS Cisco VPN Client Installation and Setup Guide

Migrating Active Directory to Windows Server 2012 R2

Ross Video Limited. DashBoard Server and User Rights Management User Manual

Transcription:

WHITE PAPER CENTRIFY CORP. MARCH 2010 Macintosh Printer Management using Centrify DirectControl Group Policies ABSTRACT This white paper examines various approaches to managing printer configuration files on the Macintosh using Centrify Group Policy tools. Centrify Corporation TEL (408) 542-7500 985 N Mary Ave, Suite 200 FAX (408) 542-7575 Sunnyvale, CA 94085 URL www.centrify.com

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2004-2010 Centrify Corporation. All rights reserved. Centrify and DirectControl are registered trademarks and DirectAudit and DirectAuthorize are trademarks of Centrify Corporation in the United States and/or other countries. Other brand names used in this document are the trademarks of their respective owners. [WP-024-2010-03-11] 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE II

Contents 1 Macintosh Printer Management using Centrify DirectControl Group Policies 1 1.1 How does the Mac store printer definitions?... 1 2 Method 1 Using a Template Mac to set up a list of printers... 2 2.1 On your Template Mac, select the printers that you want to have configured... 3 2.2 Copy these files to your desktop, and then move them to the Windows machine where you will be configuring group policies.... 6 2.3 Use the CopyFile Group policy to copy these files to your target Macs.... 6 2.4 Removing a printer... 8 3 Managing Printer Configurations using the lpadmin command.... 9 4 Managing the lpoperator group (10.6 only)... 10 5 Appendix... 12 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE III

1 Macintosh Printer Management using Centrify DirectControl Group Policies In order to set up printer definitions, it is important to understand how the Macintosh manages and stores these in the first place. 1.1 How does the Mac store printer definitions? OS X uses a printing facility called CUPS. CUPS is the standards-based, open source printing system developed by Apple Inc. for Mac OS X and other UNIX -like operating systems. You can find out more about CUPS by going to http://www.cups.org/ On your Macintosh you can see the status of the cups system by going here on your machine: http://localhost:631/ This will show you which printers are configured on your system (See the last tab, Printers) plus how to configure and add new printers, plus everything you ever wanted to know about CUPS. You will also note that you can do these same operations using the Print and Fax panel located under the System Preferences menu in OS X. Both systems set up and manage the same files. 1 ) The list of printer definitions are stored in the file /etc/cups/printers.conf 2) Each configured printer also has a PostScript Printer Description file stored in the directory /etc/cups/ppd/ ie : Lance-MacbookPro:ppd lance$ ls -l total 2624 -rw-r--r-- 1 root _lp 267335 Oct 8 12:51 Color4650.ppd -rw-r--r-- 1 root _lp 208341 Nov 9 14:55 HP4200.ppd -rw-r--r-- 1 root _lp 284052 Nov 3 14:23 HP_LaserJet_9000_Series EFF7EF_.ppd -rw-r--r-- 1 root _lp 312304 Sep 23 20:54 HP_PSC_900_Series Lance_McAndrewb_9s_Computer.ppd -rw-r--r-- 1 root _lp 259501 Oct 8 12:51 hp_laserjet_4240 9B987E_.ppd There are two ways to set up printer configurations for a Mac using the CUPS tools: Pros: 1) Copy File: Set up the printer configurations on one Mac and then copy the printers.conf file and ppd definitions to other machines using the CopyFile Group Policy tools. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 1

You can use the GUI tools to create the printer definitions. No programming required Cons: Extra work required to delete a printer configuration Pros: Cons: 2) Run Command: Use the Run Command Group Policy to run the lpadmin command and create each printer definition on the local machine. i. This is the real way you re supposed to create printer definitions ii. Need to do a lot of manual work to get the command to run properly iii. A second command is required to delete a printer configuration. This document will show both methods and leave it to the reader to decide which to use. Both approaches allow you to set different printer definitions by applying group policies to different OU s in your Active Directory hierarachy. 2 Method 1 Using a Template Mac to set up a list of printers When setting up your printers it is important to know if they require authentication before printing or not. If they do not require authentication you can set them up using the standard method. Press the + button and select the printer. If they require authentication before printing press the + button. On 10.6 On 10.5 Press the Advanced button in the title bar. Select Advanced from the list of network options. Press and hold the Option key and click More Printers to add the Advanced option to the list of network choices displayed. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 2

1) Click the Device list and select "Windows Printer via Centrify DirectControl" from the list. 2) Type a device name for the printer. 3) Type the rest of the URI for the printer and select the printer model, then click Add. e.g. cdcsmb://dc01.mydomain.com/hp4240 Note: dc01.mydomain.com - hostname where the shared printer resides HP4240 - printer share name 2.1 On your Template Mac, select the printers that you want to have configured. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 3

In the Finder use the Go -> Go to Folder menu item to navigate to the directory /etc/cups Select the file printers.conf and copy it to your desktop. You will need to enter an administrator password to copy this file. After you have copied it to your desktop, you may have to change permissions on this file in order to copy it to your sysvol. Select the Get Info menu item for the printers.conf file 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 4

Expand the Sharing & Permissions triangle and unlock the control panel by clicking the lock in the bottom right corner. Set the permissions for everyone to be Read Only. In the Finder use the Go -> Go to Folder menu item to navigate to the directory /etc/cups/ppd This folder contains the ppd files for each printer you have defined. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 5

2.2 Copy these files to your desktop, and then move them to the Windows machine where you will be configuring group policies. From that Windows machine, you can access your domain s SYSVOL volume. Create a new directory (I called mine MacPrinterFiles) and copy your printers.conf file and all.ppd files to that location. (The left frame of the screenshot shows the path to the SYSVOL. The right frame shows the MacPrinterFiles directory and the needed files) 2.3 Use the CopyFile Group policy to copy these files to your target Macs. Create a new group policy for the OU where your Macs reside in AD At this point we assume you know how to create a group policy using the Centrify Group Policy tools for Macintosh. If not, please refer to the Mac Administrators Guide. The Group Policy you want to use is: Computer Configuration -> Centrify Settings -> Common Unix Settings -> Copy files Create a GP to copy the printers.conf file from your SYSVOL to the location /etc/cups/printers.conf. Note that the default location for the group policy is the SYSVOL. The group policy can specify any SMB server, it does not need to be SYSVOL. Make sure to set the permissions and ownership properly. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 6

Permissions are 0600 (rw- --- ---), the owner is root (0) and the owner group is _lp (26) Do the same with the each of the ppd files in the /etc/cups/ppd/ folder. Make sure to set the permissions and ownership properly. Permissions are 0644 (rw- r-- r--), the owner is root (0) and the owner group is _lp (26) The final result should be as so : 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 7

All the steps for setting up the Printer Group Policy have been completed. On your target Mac, you can update the printer configurations by forcing a Group Policy update. Open a terminal window and type >adgpupdate You should also log out and log in again so that the printer configuration dialogs can be updated. 2.4 Removing a printer To remove a printer definition from client macs, there are a number of steps required. 1) Write down the name of the ppd file to delete from the /etc/cups/ppd/ folder. 2) On your template Mac, use the Print and Fax System Preference dialog to delete the printer definition. This will remove the ppd file and create a new printers.conf file. 3) Copy the new printers.conf file to your sysvol to replace the existing one used by the Copy File Group Policy. When the file is updated, the GP will automatically refresh each target machine with the new version of the file. 4) Set up a new group policy. Common UNIX Settings -> Specify commands to run. Enable the GP and enter the command rm /etc/cups/ppd/<ppdfilename.ppd> 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 8

This command will delete the unwanted ppd file from each machine when their group policy executes. The deletion will occur sometime within the next 90 minutes, as each machine runs it group policy sequence. You can force it to happen immediately on the machine by logging in a running adgpudpate from a terminal. You should remove this group policy after you feel a suitable amount of time has passed for each machine to receive the gp and run the command. If you have a number of portable machines that are taken off network, you may want to ensure enough time has passed that each of them has been reattached. If you do not remove the group policy it will continue to be executed every 90 minutes in perpetuity. There are no negative effects to this happening, the rm command will just return a file not found error. 3 Managing Printer Configurations using the lpadmin command. An alternate approach to managing printer commands can be done by using the lpadmin command to create and delete printer definitions on each machine. For more information on lpadmin, open a Terminal window and type >man lpadmin To use these commands you need to use the Run Command group policy. When the group policy activates, the lpadmin command will be executed to set up or delete the printer. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 9

The group policy is Common UNIX Settings -> Specify commands to run In there you will add the lpadmin command. Here is an example : lpadmin -p "WLMPR0626" -P "/Library/Printers/PPDs/Contents/Resources/HP Color LaserJet CP2020 Series.gz" -L "First Floor" -v "cdcsmb://w2k3wlm03.mydomain.internal/wtcpr0626" -E To delete a printer, you will run the lpadmin command with the x option lpadmin -x "WLMPR0626" -P "/Library/Printers/PPDs/Contents/Resources/HP Color LaserJet CP2020 Series.gz" -L "First Floor" -v "cdcsmb://w2k3wlm03.mydomain.internal/wtcpr0626" -E Proper configuration of the lpadmin command for a specific printer is left as an exercise for the reader. This command will add the printer definition file to each machine when their group policy executes. It will occur sometime within the next 90 minutes, as each machine runs it group policy sequence. You should remove this group policy after you feel a suitable amount of time has passed for each machine to receive the gp and run the command. If you have a number of portable machines that are taken off network, you may want to ensure enough time has passed that each of them has been reattached. If you do not remove the group policy it will continue to be executed every 90 minutes in perpetuity. There are no negative effects to this. With this approach it is possible to have multiple group policies adding printer definitions from different levels in the Active Directory hierarchy. A higher level group policy could add common printers for a division and a lower level group policy could add printers specific to a work department. 4 Managing the lpoperator group (10.6 only) There are situations where it is necessary to assign non-admin users the rights to pause and restart print queues. Normally a non-admin user does not have permission for these operations. When a non-admin user tries to suspend a print queue, you will see this error dialog : 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 10

Here are the steps you can take to address this issue with Centrify. Create a new group in Active Directory. Give it the name _lpoperator. Add this group to your zone with gid 100 and the name _lpoperator. If you are using workstation mode, then this will not work. The network user can not open the print queue dialog box. Assign all Mac users to this group. Open the group policy editor. Enable the group policy Computer Configuration -> DirectControl Settings -> Merge Local Group Membership. If you are testing a machine, open a terminal and run adgpupdate to refresh the policies and log out/log in as your user. The user should now be a member of the local _lpoperator group and should have permission to suspend a print queue. An alternate approach is to manually add the user to the local _lpoperator group on the mac. There is a description of how to do this here : http://discussions.apple.com/thread.jspa?threadid=2006510 You could also configure a login script to run this command for each user. 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 11

5 Appendix Here's the URL for Snow Leopard's man page for lpadmin: http://developer.apple.com/mac/library/documentation/darwin/reference/manpages/man 8/lpadmin.8.html You can get all the details about the printers.conf file from the man page. man printers.conf http://developer.apple.com/mac/library/documentation/darwin/reference/manpages/man 5/printers.conf.5.html lpadmin and lpoptions both have man pages within CUPS: http://www.cups.org/documentation.php/man-lpadmin.html and http://www.cups.org/documentation.php/man-lpoptions.html Here's the URL for Snow Leopard's man page for lpoptions (for setting defaults and options): http://developer.apple.com/mac/library/documentation/darwin/reference/manpages/man 1/lpoptions.1.html CUPS 1.4 has a slew of new features 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 12

http://www.cups.org/doc-1.4/whatsnew.html#commands 2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information