Mapping Printers based on Computer OU (via Script)

KB ID 0000645 

Problem

Location based printing has long been a pain. In the past I’ve tackled it with Group Policy Preferences, and I’ve even gone ‘old school’ and mapped printers with con2prt.

A few months ago I put in a new network at a school, they were using a vbs script to deploy all their classroom printers, and I had a quick (unsuccessful) attempt to do the same. But time was against me and I used GPP and location variables to solve the problem.

I did however take a copy of the script to have a play with, so yesterday while it was quiet I dropped a copy on the test network, and failed again! So I trawled round the internet and cobbled together a new script which works they way I wanted.

Note: Please do not email me and ask “Can you change the scripts to do xyz” you probably know as much about vbs as I do!

Solution

Requirements

1. I want the script to run and map the printers based on the OU that the computer is in, in these example I’ve only got two OU’s, but in a live environment you might want all the computers in the maths classroom to get the black and white laser printer in that classroom as the default printer and also be connected to the colour printer in the same room.

2. On my test network I’ve only got two printers, an HP 4600 Colour Laser, and an HP 3055 multifunction printer, so to illustrate how the script works I’ll map both printers to the computers in both OU’s, but I’ll change the default printer for OU1 and OU2. Both these printers are already setup and installed on my server.

Note: You may need to add x64 AND x32 bit drivers to your printers if you have a mix of client operating systems, as they download the driver from the server.

Script to Map Printers Based on OU

3. This script will remove any mapped network printers, Note: Local printers are NOT removed. It will then connect the printers you require for each OU. Lastly it will set the default printer.

Note: You need to connect the printer before you can set it as default.

[box]

'=========================================================================<br />
' MAP PRINTERS BASED ON OU<br />
'<br />
' AUTHOR:  PeteLong<br />
' COMPANY: www.petenetlive.com<br />
' DATE:    03/08/12<br />
'=========================================================================<br />
Set objSysInfo = CreateObject("ADSystemInfo")<br />
strName = objSysInfo.ComputerName</p>
<p>arrComputerName = Split(strName, ",")<br />
arrOU = Split(arrComputerName(1), "=")<br />
strComputerOU = arrOU(1)</p>
<p>Set objNetwork = CreateObject("WScript.Network")</p>
<p>'=========================================================================<br />
'STEP 1 - Remove any NETWORK printers (NOT Local Printers)<br />
'=========================================================================</p>
<p>Set WshNetwork = WScript.CreateObject("WScript.Network")<br />
Set Printers = WshNetwork.EnumPrinterConnections</p>
<p>For i = 0 to Printers.Count - 1 Step 2</p>
<p>    If Left(ucase(Printers.Item(i+1)),2) = "" Then<br />
        WSHNetwork.RemovePrinterConnection Printers.Item(i+1)<br />
    End IF<br />
Next</p>
<p>'=========================================================================<br />
'STEP 2 - Connect Printers based on COMPUTER OU membership<br />
'=========================================================================</p>
<p>Select Case strComputerOU<br />
    Case "OU1"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
        objNetwork.SetDefaultPrinter "PNL-DC4600"<br />
    Case "OU2"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
        objNetwork.SetDefaultPrinter "PNL-DC3055"<br />
End Select

[/box]

What you would need to change

Simply change PNL-DC for the name of your print server, add your OU’s and printers, you would just add a new ‘case’ for each OU you require.

4. I’m deploying this script as a USER logon script, though If you wanted you could also use a COMPUTER startup script.

What computers in OU1 would see

What computers in OU2 would see

Related Articles, References, Credits, or External Links

NA

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

KB ID 0000995 

Problem

Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.

In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.

Solution

1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.

[box]login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32

[/box]

2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.

Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0

[box] [edit]
root@FW-02# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/32

[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32

[/box]

3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).

[box]

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit

[/box]

4. Then allow traffic IN to the web server, (here I’m locking it down to just http).

[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit

[/box]

5. Save the changes.

[box][edit]
root@FW-02# commit
commit complete[/box]

Juniper Allowing Traffic To Custom Ports And Applications

1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).

[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp

[edit]
root@FW-A# set applications application APP-RDP destination-port 3389

[/box]

2. You could now use this application in your security policies e.g.

[box] [edit]
root@FW-A#set security policies from-zone untrust to-zone trust policy TERMINAL-SERVER-IN match application APP-RDP[/box]

 

Related Articles, References, Credits, or External Links

NA