Microsoft Remote Desktop Session Host + Point and Print restrictions

So I am finally setting up my 2008 Remote Desktop Session Host environment! Well… its been a bit of a process trying to get the user experience set just right vs lockdown while keeping the server functional. When you have an environment that works well (2003), and is really quite functional, it can be hard to invest the extra resources to jump up to something newer. But hey… I love new tech more than most people I know so onward and upward! The general use of this Remote Desktop Host will be for MS Office 2010, including OWA.

I will probably post some of my GPO settings I am using that have helped a lot, some of the stumbling blocks, and some successes. In the past many shops have configured a secondary local profile and then replaced default with that configuration. While I did use the Appdata and NTUSER files in this fashion, most of my configuration has been done via GPOs. It seems that Microsoft continues to push SYSPREP mildly and GPPs more so for future default profile creation. I configured quite a few GPP settings while keeping in mind their weaknesses. Using the GPOs and GPPs I was able to get a very polished build.

One of my last settings I am configuring is Point and Print. As many of the early Vista adopters in the enterprise environment know one of the items that plagued users, and right into Windows 7, was the ability to install print drivers(See: UAC). Windows 7 seems to have been deployed quickly though. Setting the Point and Print GPO to disabled solved our UAC problem related to printer additions. Knowing that this problem was solved I left it to nearly last… its just one setting to toggle, right? For workstations, yes, for servers, no. So what two GPO settings to you need set in order to print from a RDH as a non-privileged user?

1) Point and Print

Computer Configuration | Policies | Administrative Templates | Printers

Point and Print Restrictions to Disabled

2) Devices: Prevent Users From Installing Printer Drivers

Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies| Security Options

Devices: Prevent users from installing printer drivers when connecting to shared printers to Disabled

And why is this? Reading the description of this setting we see,

“For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.

Default on servers: Enabled.
Default on workstations: Disabled”

Disabling Point and Print will allow our RDH session to talk to the networked printer/printer server, start the driver transfer and then…. stop. The Windows 7 workstation would happily be sending your job off but your RDH will just deny you. Set Devices: Prevent users from installing printer drivers when connecting to shared printers to Disabled and your users will be printing away and not requesting you to add the driver for them circa 2003 Terminal Server style.

 

Chadd

 

Leave a Reply