View RSS Feed

TheScarfedOne

Managing Printers in a Remote Desktop Environment

Rate this Entry
by , 15th November 2011 at 02:00 PM (18284 Views)
Introduction
So, regular readers of my blog will know that we run quite an extensive Remote Desktop Environment at my new School. This poses for some interesting issues when dealing with printing - so a rethink on the traditional methods was needed.

Traditional Printer Scripting
Lets start at the beginning - with the "old-school" method of printer mappings. Usually, this was achieved with a good old-fashioned batch script, ala Drive Mappings. Not content with batch anymore - I moved this on to VBS for speed. Ive attached my main script to this post for a nosey; but below is an except...

Code:
Add printer connections dependant upon location

Select Case (Left(computerName, 6))

Case "******"

WshNetwork.AddWindowsPrinterConnection "\\PRINTSERVERNAME\PRINTERSHARE"
WshNetwork.SetDefaultPrinter "\\PRINTSERVERNAME\PRINTERSHARE"
This does as it says really. It compares the first 6 characters of the machine name (retrieved and stored in a variable earlier in the script) to a specified statement. When it matches, it runs that section. See the full script for more (the logoff one in there too) - it is well commented!

WorkstationPrintersLogoff.vbs
WorkstationPrinters.vbs

This works fine for normal workstations - where it runs as a logon script. There is also a partner logoff script which clears the connections to stop them following the user around. The last thing we need is Student 1 printing in IT2 when they are in IT1 - just because they have been in IT2 last lesson.

So, what about Remote Desktop Services
But - this wont work with RDS - as the machine is resolved as the server, and there could be multiple locations with different printers. In our case, there definately are. Our Thin Client (RDS) environment is made up of two types of machine. We have repurposed hardware running Windows Thin PC (Windows 7 extra light!), and Wyse T50 terminals running their "HomeBrew" linux.

The Thin PC ones use a similar script setup to the conventional PCs. The only difference is that the printers are added on startup - since the shell for the Thin PCs has been altered to load VBS and RDP session. More on that will follow in another post - but it is touched on slightly in my SCCM posts from Summer: http://www.edugeek.net/blogs/thescar...eployment.html

The RDP session is set to carry thought client printers (there is a custom RDP connection file used on all of the Thin PCs) - so they get the printer for their room and no others. The ability to add and remove printer has also been removed across the site. Well, there is no point putting the effort into setting the printers is people can monkey with them!

Non-Windows Remote Desktop Connections
Next then, the Wyse terminals. More problematic, as they wouldnt understand any of the scripts or GPOs. Instead, some clever GPO and OU layout - and use of the GPO Mode "Replace" to set user properties for the RDP session were used. You can see my structure here...
blogs/thescarfedone/attachments/12091-managing-printers-remote-desktop-environment-gpostructure.png

The "TS" after the GPO name is the magic. These two GPOs have extra settings to push printer connections for the RDP sessions. Problem number two - how to work out what machines get what printers, or you just have all of them and users select theirs. Messy - very messy. Instead - group your users around printers - which they need, defaults etc. We created AD groups and put staff into these groups depending which they needed. Then, used Group Policy Preferences (not Deployed Printers) to set them. Preferences allows you to do item level targetting so only people in the AD group specified get the printer. Here is an except...
blogs/thescarfedone/attachments/12092-managing-printers-remote-desktop-environment-gpoprinters.png

Here is the actual GPO editor - so you can see we have lots of printers and lots of targetted printers. We also use this to set the defaults for different groups. You can see we also use a "Delete All" to stop them collecting printers.
blogs/thescarfedone/attachments/12094-managing-printers-remote-desktop-environment-gpoeditor.png

Job done... :-)
Happy GPO Admin

As always, questions, comments always welcome. Post here or PM me if you want to know more.

Updated 17th November 2011 at 11:41 PM by TheScarfedOne

Categories
Software

Comments

  1. Cache's Avatar
    I'm going to ask probably what is a really stupid question, but I'm trying to improve our setup again (after several modifictions of other bit's you've posted).

    I notice in the Top Screenshot you have 3 User Policy Settings, management, staff and Students.

    What is the security filtering on the policies to make the changes to the different user groups? Does just removing all users and adding the Server and the relevent user group do that filtering?

    (and not really relevent to this but might as well ask here - what difference does having the Run is User's secuirty context have? I've never ticked that on any of my printer deployments yet....)
  2. TheScarfedOne's Avatar
    Sorry @Cache - I wasnt getting notifications on blog comments. Now sorted (I think - with ZH). Right...your questions...

    Yep... the security filtering is something that is so often done wrong. DO NOT mess with the Security Filtering section on the Scope tab. Instead, use the delegation tab to and edit the settings here. Remove the Checkbox for Apply GPO settings for Authenticated users, and then add the usergroup you want and ensure that check box is set. I will do a blog post with screenies as its one Ive seen a few times...

    Ive not seen the Run in users context used before...I generally dont use it. Will look it up (and poke the GPO and RDS team at MSFT to get an answer for you).

    Finally...many thanks for using my posts. I hope they have been useful. If you have any suggestions for more topics...please let me know. Im trying to post as much as possible about the setup to help others.
  3. Cache's Avatar
    Your posts are fantastic and really useful (adapted a couple with use of the VMware guide, but just read your last blog and think I may alter it so it matches up to what you've got again)!

    Thanks for the info regarding delegation rather then security - guess what I'll be testing on Tuesday?

    Will let you know how I get on!

    Thanks again!
  4. Cache's Avatar
    @TheScarfedOne well I tried and failed miserably in my attempt to do this.

    I set up my replace policy to be blank (because I wanted to remove all the mandatory profile settings for if I need to log on as an administrator), so removed the apply group policy setting from authenticated users and then added my user and ticked apply group policy and then did gpupdate /force, left it overnight and logged on this morning and it applied all the group policy settings again.

    GPMC shows when I run a report that it didn't apply the policy because of Access Denied.

    Can you think of anything obvious I might have missed?

    Thanks

    Edit: Well, I've made some progress. If I add the server with the ability to apply the group policy then the Replace policy kicks in to effect, however it then applies to everybody. If I remove the server then it applies to nobocy (presumably the replace part of the group policy). I can't work out how I just get the loopback to apply to users who have apply policy permission though, it seems to be an all or nothing thing for me.
    Updated 6th January 2012 at 08:07 PM by Cache
  5. TheScarfedOne's Avatar
    Right...you need a combo approach.

    Add the Machine with "Apply GP" permisssion, and also add the User Group with "Apply GP" permission. Authenticated users should only have "Read" not the "Apply GP" permission. Youve reminded me to finsih the article with screenshots for you and the other emailers!

    I hope that makes sense....

    Delegation tab > Click Advanced. Change the permissions here only!
  6. Cache's Avatar
    I'm 99.999% sure that's how I've got it, I meant to look today but ended up with the return of my unable to login to the RDS server and no response (or very very slow, over an hour) to anything, including reboot or startup, but might have made some progress. Will double check tomorrow.
  7. TheScarfedOne's Avatar
    I knew there was another post to do this weekend! I will write and screenie it on the train tomo. Wi you be at BETT? If so, will take some time out on the stand to show and Rdp in.
  8. Cache's Avatar
    No, not been allowed to go to BETT this year, budget still too tight apparently

    Enjoy yourself though!!

    Edit: Just double checked, it's currently set up so that:

    Authenticated Users have the default permissions except Apply
    Inset Users have only Apply GPO (but propagated to this object and all other objects?)
    RDS Servers have only Apply GPO (again propagated)

    But it applied to all users when I tried it Got some updates planed for Wednesday so will have another shot then, but otherwise enjoy yourself at BETT!
    Updated 10th January 2012 at 09:37 AM by Cache
  9. TheScarfedOne's Avatar
    Hmmmm... OK. Im going to post up screenies of mine. Can you DM me with yours and I will take a look - or we can arrange an RDP session...

Trackbacks

Total Trackbacks 0
Trackback URL: