[Samba] KB3163912 breaks Point and Print Restrictions GPO settings for non-packaged-aware printer drivers

Thu Aug 31 10:46:50 UTC 2017

On 24/08/17 12:57, Marc Muehlfeld via samba wrote:
> Hello Christian,
> 
> Am 24.08.2017 um 11:36 schrieb Christian Naumer via samba:
>> Has anyone found a workaround for Samba print servers?
>>
>> https://social.technet.microsoft.com/Forums/en-US/030ee94a-047d-460a-bc39-52351a199364/kb31639
>> 12-breaks-point-and-print-restrictions-gpo-settings
>>
>> If I set the GPOs as stated on the WIKI (https://wiki.samba.org/index.php/Setting_up_Automatic
>> _Printer_Driver_Downloads_for_Windows_Clients) Windows 10 refuses to install the driver with
>> "a policy forbids the installation" (translated from german). If I remove the policy I can
>> install everything fine (after the security prompt).
>> This all works with Windows 7 as expected.
> 
> Last time I verified the procedure was when I wrote the documentation
> last January. It worked on 7/8.1/10 with all available updates applied.
> I can re-check the procedure tonight.
> 
> What Samba and Win10 version are you using?
> 
> Which of the 2 GPOs do you refer to when you say "If I remove the policy
> I can install everything fine"?

I can confirm that I seem to be experiencing the same problem. A few 
days ago, printers published from Samba AD and installed via GPO refused 
to install any more. This has been working fine for 6 months or so, 
since I setup the AD, until a few days ago - all according to 
instructions here: 
https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients. 

In the Event viewer on the Windows client I get the following:

EventID: 4098
Source: Group Policy Printers
Level: Warning
The user '<printer_name_on_samba_server>' preference item in the 
'<my_printer_installation_gpo_name>' Group Policy Object did not apply 
because it failed with error code '0x800704ec'. This program is blocked 
by group policy. For more information contact your system administrator. 
This error was suppressed.

Trying to browse for the printer directly on the Samba AD (from Windows 
workstation) I can see it, but when I double-click on it, I get the 
following error:

"A policy is in effect on your computer which prevents you from 
connecting to this printer queue"

or:

"Operation could not be completed (error 0x00000bc4). No printers are found"

(the error message varies from machine to machine).

My setup is:

Samba ADC + print server: Samba 4.6.2
Clients: Windows 10 Pro x 3
A Samsung and a Brother printer shared on the Samba print server

Disabling the "Legacy printer driver policy" completely seems to get 
everything working properly, and the printers are installed correctly 
again by the printer installation gpo.

Follow-up: After more tests, it would appear that a recent Windows 10 
update has modified the behaviour of the two print server trust GPO's. 
When I amended them to use the *non* FQDN name of my print server, they 
started working again.

Has anyone else experienced similar issues? Or maybe my findings are 
incorrect and the issue is somewhere else?