Control Printer Redirection on a Per User Basis

If you have ever dealt with RDS you know the pain that is printer redirection. You will have some users that need printer redirection, and others that can't have it because it causes issues(see diagram below). The standard GPO methods only allow you to configure it for the entire server, not per user.

The methods below require you to have a Remote Desktop Gateway. Also, this will not work if you have DUO 2FA configured.

This Guide is intended to reduce issues with printer redirection. We will be creating a GPO that will enable printer redirection, and a Connection Authorization Policy that will allow us to disable redirection for some users.

This guide assumes the following about the site you are working on:
  • Users that have redirected printers will want to have it as their default (this is a hard requirement, but read "Things to keep in mind" for possible workarounds)
  • Only the local computer default printer will be redirected

When this is configured the redirection will look like the following:

Security groups

The following security groups will need to be created
  • CAP_Disable Printer Redirection Users
  • CAP_Disable Printer Redirection Computers

Setting RDG Settings

All client connections need to pass through the RDG for these policies to work.
  1. Go to the RDG and open Server Manager
  2. Open Overview
  3. Go to Deployment Overview | TASKS | Edit Deployment Properties
  4. Un-Check Bypass RD Gateway server for local addresses
    1. This might require computers to have RDp 8.1+. Make sure that all computers have 8.1 before doing this.

Connection authorization Policies

  1. Log into the RDG server
  2. RD Gateway Manager
  3. %serverName%/Policies/Connection Authorization Policies 
    1. If you do not see this folder it might be because DUO is configured.
  4. Right Click on Connection Authorization Policies
    1. Create New Policy / Custom
  5. General Tab
    1. Name: RDG_CAP_Disable Printer Redirection
  6. Requirements
    1. User Group Membership
      1. Add CAP_Disable Printer Redirection Users
    2. Client Computer group membership
      1. Add CAP_Disable Printer Redirection Computers
  7. Device Redirection
    1. Disable device redirection for the following client device types
    2. Only check Printers

GPOs

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Do not allow client printer redirection
Disabled

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Do not set default client printer to be the default printer in a session
Disabled

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Redirect only the default client printer
Enabled

Testing the Changes

Add the users/computers to the appropriate groups to test your changes. Below are some rules to keep in mind:
  • Users and the computer that they are logged into must be members of the respective CAP group.
  • Non domain computers will always redirect since they cannot be members of the CAP groups we created

Things to Keep in Mind

Printer Redirection and "Do not set default client printer to be the default printer in a session" are computer policies. This means that no matter what, they can only be applied to a whole computer and not per user on a computer. Essentially, you cannot disable "Do not set default client printer to be the default printer in a session" just for one user.

If none of the users that use printer redirection need it to be their default then this policy can be set to Enabled. However, keep in mind that User 4's(see picture above)  configuration will not be supported.

References


Although not configured in this scenario, it is possible to disable printer redirection per computer. (I haven't tested it yet) http://www.itprotoday.com/management-mobility/how-can-i-stop-users-performing-clipboard-and-printer-redirection-windows-2000

Comments

Popular posts from this blog

Best Practices for Deploying User Profile Disks

Deploying FSLogix Office 365 Containers

Enabling Webcam on RDS