Control Printer Redirection on a Per User Basis

-
If you have ever dealt with RDS you know the pain that is printer redirection. You will have some users that need printer redirection, and others that can't have it because it causes issues(see diagram below). The standard GPO methods only allow you to configure it for the entire server, not per user.

The methods below require you to have a Remote Desktop Gateway. Also, this will not work if you have DUO 2FA configured.

This Guide is intended to reduce issues with printer redirection. We will be creating a GPO that will enable printer redirection, and a Connection Authorization Policy that will allow us to disable redirection for some users.

This guide assumes the following about the site you are working on:
  • Users that have redirected printers will want to have it as their default (this is a hard requirement, but read "Things to keep in mind" for possible workarounds)
  • Only the local computer default printer will be redirected

When this is configured the redirection will look like the following:

Security groups

The following security groups will need to be created
  • CAP_Disable Printer Redirection Users
  • CAP_Disable Printer Redirection Computers

Setting RDG Settings

All client connections need to pass through the RDG for these policies to work.
  1. Go to the RDG and open Server Manager
  2. Open Overview
  3. Go to Deployment Overview | TASKS | Edit Deployment Properties
  4. Un-Check Bypass RD Gateway server for local addresses
    1. This might require computers to have RDp 8.1+. Make sure that all computers have 8.1 before doing this.

Connection authorization Policies

  1. Log into the RDG server
  2. RD Gateway Manager
  3. %serverName%/Policies/Connection Authorization Policies 
    1. If you do not see this folder it might be because DUO is configured.
  4. Right Click on Connection Authorization Policies
    1. Create New Policy / Custom
  5. General Tab
    1. Name: RDG_CAP_Disable Printer Redirection
  6. Requirements
    1. User Group Membership
      1. Add CAP_Disable Printer Redirection Users
    2. Client Computer group membership
      1. Add CAP_Disable Printer Redirection Computers
  7. Device Redirection
    1. Disable device redirection for the following client device types
    2. Only check Printers

GPOs

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Do not allow client printer redirection
Disabled

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Do not set default client printer to be the default printer in a session
Disabled

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Redirect only the default client printer
Enabled

Testing the Changes

Add the users/computers to the appropriate groups to test your changes. Below are some rules to keep in mind:
  • Users and the computer that they are logged into must be members of the respective CAP group.
  • Non domain computers will always redirect since they cannot be members of the CAP groups we created

Things to Keep in Mind

Printer Redirection and "Do not set default client printer to be the default printer in a session" are computer policies. This means that no matter what, they can only be applied to a whole computer and not per user on a computer. Essentially, you cannot disable "Do not set default client printer to be the default printer in a session" just for one user.

If none of the users that use printer redirection need it to be their default then this policy can be set to Enabled. However, keep in mind that User 4's(see picture above)  configuration will not be supported.

References


Although not configured in this scenario, it is possible to disable printer redirection per computer. (I haven't tested it yet) http://www.itprotoday.com/management-mobility/how-can-i-stop-users-performing-clipboard-and-printer-redirection-windows-2000

Comments

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed  in order  since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under  Deploying FSLogix Office 365 Containers  and  Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot  be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next
Read more

Best Practices for Deploying User Profile Disks

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers.  User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of  this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue,  but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d
Read more

Removing Application UAC Requirements with Shims

-
Image
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.   How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.  Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C
Read more