Offhand I can think of so many ways to circumvent this, accidentally or on purpose I cant even imagine doing it without a third party tool, or deploying some custom printer and forcing the client to use that (if that's possible).
If the users are on a local network, then I wouldn't map *any* printer and only put the printers *by* hand on the server that connects not to the local pc but to a jetdirect so at least I can somewhat safeguard that printer. If you have clients from remote locations that you don't control you can use third party products (I know it wasn't an option), or you will have to ask the client to open say 9100 on the firewall and IPP to it. Overall I would be looking at the server to handle the printing and not the individual clients, relying on print mapping, registry lockdowns and everything else if you can manually set printers and permissions on the server. From: James Rankin [mailto:[email protected]] Sent: Wednesday, December 17, 2008 10:48 To: NT System Admin Issues Subject: Printer query This came in as a query from one of my former colleagues, so I am throwing it out there...any help appreciated, obviously ---------------------------------------------------------------------------- --------------- Here's one for the experts... I want only the clients default local printer to be mapped to my WTS server session at login. This is perfectly achievable using the latest RDP client and setting the registry parameter that forces this through group policy, that all works beautifully. Problem I have now is how do I stop my users changing their local default printer? I can give them read access to the necessary registry key which does the job but surely that isn't the answer, plus I don't know what else that may effect on the PC ! Any advice would be much appreciated! For the record, I can't just tell the server not to hold the drivers of the other printers, I can't set the default printer at each login and I don't want to schedule a script every 5 seconds on the PC that does this. I need to 100% eliminate the risk of a secure document being printed to anything other than the printer I want it to, this includes the users being able to change things accidentally. The users need access to other printers in their office too, which they are happy to select each time they need to print to them. What would be acceptable is a setting on the WTS server to say "only map local printers and ignore network based ones" however the way ports are handles, I don't think this can be done. Lastly I can't use any 3rd party util. ---------------------------------------------------------------------------- ---------------------- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
