Having issues with printers or printer drivers messing up your server or client? Here are some tips that can make your day better.
First of all, stop the print spooler service. After that, you can delete the following key depending on the printer or driver you are trying to delete.
If you ever wondered if there is a cooler or faster way to update a computer’s group membership without having to reboot: well there is. If you delete or “purge” the kerberos tickets on the machine and then perform a gpupdate, the client is going to retrieve a new kerberos ticket with the new group membership.
Here are the two (well, if have never heard of gpupdate /force):
The key needs to be set on your print server. Remember that by setting this key, you will effectively re-open the print nightmare security flaw by downgrading your security level on the server. If you want a persistent fix, you should use type 4 printer drivers, which do not need admin rights on the client side. Admin rights are needed if you have type 3 printer drivers.
Alternatively, you can add the DWORD ZeroConfigExchangeOnce 1 key to automate the creation of the first profile. Successful profiles have to be created manually.
When syncing local AD users to Azure AD, you can configure Seamless Sign-On to automatically login to Microsoft 365 Apps like Sharepoint Online, OneDrive, or Exchange Online. This is very easy to do and will make logins for users less painful.
When the pre-checks is complete, hit configure and exit.
A Computer Account named AZUREADSSOACC will be created in Active Directory which allows the authentication validation between Azure AD and local Active Directory. The Kerberos decryption key is saved in the cloud and should be changed regularly. You can see that on the Computer account, service principal names are configured
Lastly, you can roll out the feature with Group Policy. The URL https://autologon.microsoftazuread-sso.com must be added to the intranet zone list, which allows the browser to send Kerberos tickets to that site.
The GPO can be found under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.
Status bar updates via script must be also enabled. This GPO is located under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone > Allow updates to status bar via script.
You can test the feature by opening portal.office.com. After entering the username, login should be done automatically without needing to insert a password.
