[THIN] Re: Come back in time with me - MF 1.8 Printer drivers

• From: "Rick Mack" <Rick.Mack@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 29 Oct 2004 10:24:50 +1000

Hi Michael,
 
Check out KB239536 for the trusted driver path. It still refers to 
HKLM\SYSTEM\CurrentControlSet \Control\Print\ LanMan Print Services\Servers 
though. What part of the registry path is wrong?
 
We are talking NT 4?
 
regards,
 
Rick
 
Ulrich Mack
Volante Systems

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P.
Sent: Fri 29/10/2004 12:38 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers


Hey Rick, we've been using this method for about a week and things are 
definitely better.  Is the registry path you sent over the exact path?  Didn't 
match up with the path from Microsoft KB, so we went with theirs.
 
We are working on a new master wtsuprn.inf file to address most of the mapping 
issues, but I am told that will only address auto-created printers.
 
Looking at this one piece of what you sent below:
 
AddPrinterDrivers=1 
LoadTrustedDrivers=0 
EnablePrinterSecurity=1 
TrustedDriverPath=
 
In this case, no automatic driver installation occurs for anyone, and only 
admins can install drivers manually.

I wanted to check to make sure the TrustedDriverPath was left blank 
intentionally.  I am interested in stopping Admins from loading driver 
automatically as well, and this looks like it would do it.  Your example shows 
the settings at 1,0,1, Blank.  We have been using 1, 1, 0, and the local path 
to the drivers.  We are still finding some new printers on there and aren't 
sure how they are making it in.
 
I'm still tempted to lock down the registry key and the drivers/2 directory 
under the spool directory as well. 
 
 
 
________________________________

From: Pardee, Michael P. 
Sent: Thursday, October 21, 2004 7:36 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers


Fantastic.  This info alone was worth the subscription price to join the list! 
; P

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] 
Sent: Thursday, October 21, 2004 7:01 AM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers


Hi Michael,
 
Wrote the following for a customer a while ago for NT 4. 
 
Might be a bit more elegant than just screwing up kernel mode (in NT 4.0 
EVERYTHING is kernel mode) printer driver additions.
 
 

It's important to be able to control which printer drivers are loaded and used 
on Metaframe servers. While the default behaviour uses automatic installation 
of drivers and allows driver installation by non-admin users, this can be 
modified so that driver installation is restricted to administrators only, 
and/or from a safe printer driver source only. 

 

Four registry entries, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet 
\Control\Print\ LanMan Print Services\Servers control how printer drivers are 
installed on NT systems (NT 4.0 SP5/6). 

 

AddPrinterDrivers,    reg_dword, a value of 1 indicates that drivers will NOT 
be automatically installed as needed.

 

EnablePrinterSecurity, reg_dword, controls who can add printer drivers. A value 
of 1 indicates that only admins can install printer drivers. However if 
LoadTrustedDrivers is set to 1 then if EnablePrinterSecurity is set to " 0", 
then the client looks for drivers in TrustedDriverPath\2 folder. When it is set 
to " 1", it (admin only) looks for drivers under TrustedDriverPath. 

LoadTrustedDrivers,       reg_dword, a value of 1 indicates that drivers can be 
installed only from the trusted print server location specified by the 
TrustedDriverPath value. 

TrustedDriverPath,    reg_expand_sz,  defines the location of the appropriate 
trusted printer driver share. Eg \\server1\pdrivers 
<file:///\\server1\pdrivers> . It is possible to use locally stored printer 
drivers by using \system32\spool\drivers\w32x86 as the driver location.

Some examples are:

 

AddPrinterDrivers=0
LoadTrustedDrivers=1
EnablePrinterSecurity=0
TrustedDriverPath:\\printserver\print$ 

 

In this case, for any user, the client automatically gets the driver from 
\\printserver\print$\2 <file:///\\printserver\print$\2>  


AddPrinterDrivers=0 
LoadTrustedDrivers=1 
EnablePrinterSecurity=1 
TrustedDriverPath=REG_EXPAND_SZ:\\printserver\print$\

 

In this case, the client (admin only) gets the driver from 
\\printserver\print$\w32x86 <file:///\\printserver\print$\w32x86> 

 

AddPrinterDrivers=1 
LoadTrustedDrivers=0 
EnablePrinterSecurity=1 
TrustedDriverPath=

 

In this case, no automatic driver installation occurs for anyone, and only 
admins can install drivers manually.

regards,
 
Rick
 
Ulrich Mack
Volante Systems

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P.
Sent: Thu 21/10/2004 8:49 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers


Thanks Rick.  I'll make the assumption that I should be able to get away with 
it in NT4 as well then, since it is version-2 drivers.  I wouldn't have done 
the permissions at the file level, but we'll add that in to the testing.
 
What kind of errors do users see in this setup?

________________________________

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] 
Sent: Thursday, October 21, 2004 6:41 AM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] Come back in time with me - MF 1.8 Printer drivers


Hi Michael,
 
That's what I now do in my TS policy (for win2k not needed for win2k3) and also 
with the drivers\w32x86\2 directory made read only to boot.
 
regards,
 
Rick
 
Ulrich Mack
Volante Systems

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P.
Sent: Wed 20/10/2004 9:55 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Come back in time with me - MF 1.8 Printer drivers



I am trying to prevent unwanted print drivers from loading on NT4/MF1.8
servers.  Could it be as simple as restricting write access to the registry
key HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT
x86\Drivers\Version-2 key?

The BSODs have started making a comeback and I'd like to end this for good.

Thanks in advance.


> Michael Pardee
>
Email Confidentiality Notice: The information contained in this transmission
is confidential, proprietary or privileged and may be subject to protection
under the law, including the Health Insurance Portability and Accountability
Act (HIPAA).  The message is intended for the sole use of the individual or
entity to whom it is addressed.  If you are not the intended recipient, you
are notified that any use, distribution or copying of the message is
strictly prohibited and may subject you to criminal or civil penalties.  If
you received this transmission in error, please contact the sender
immediately by replying to this email and delete the material from any
computer.
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? --   Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id=320
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm


#####################################################################################

This e-mail, including all attachments, may be confidential or privileged. 
Confidentiality or privilege is not waived or lost because this e-mail has been 
sent to you in error. If you are not the intended recipient any use, disclosure 
or copying of this e-mail is prohibited. If you have received it in error 
please notify the sender immediately by reply e-mail and destroy all copies of 
this e-mail and any attachments. All liability for direct and indirect loss 
arising from this e-mail and any attachments is hereby disclaimed to the extent 
permitted by law.

#####################################################################################

Email Confidentiality Notice: The information contained in this transmission is 
confidential, proprietary or privileged and may be subject to protection under 
the law, including the Health Insurance Portability and Accountability Act 
(HIPAA). The message is intended for the sole use of the individual or entity 
to whom it is addressed. If you are not the intended recipient, you are 
notified that any use, distribution or copying of the message is strictly 
prohibited and may subject you to criminal or civil penalties. If you received 
this transmission in error, please contact the sender immediately by replying 
to this email and delete the material from any computer.

#####################################################################################

This e-mail, including all attachments, may be confidential or privileged. 
Confidentiality or privilege is not waived or lost because this e-mail has been 
sent to you in error. If you are not the intended recipient any use, disclosure 
or copying of this e-mail is prohibited. If you have received it in error 
please notify the sender immediately by reply e-mail and destroy all copies of 
this e-mail and any attachments. All liability for direct and indirect loss 
arising from this e-mail and any attachments is hereby disclaimed to the extent 
permitted by law.

#####################################################################################

Email Confidentiality Notice: The information contained in this transmission is 
confidential, proprietary or privileged and may be subject to protection under 
the law, including the Health Insurance Portability and Accountability Act 
(HIPAA). The message is intended for the sole use of the individual or entity 
to whom it is addressed. If you are not the intended recipient, you are 
notified that any use, distribution or copying of the message is strictly 
prohibited and may subject you to criminal or civil penalties. If you received 
this transmission in error, please contact the sender immediately by replying 
to this email and delete the material from any computer.


#####################################################################################
This e-mail, including all attachments, may be confidential or privileged.  
Confidentiality or privilege is not waived or lost because this e-mail has been 
sent to you in error.  If you are not the intended recipient any use, 
disclosure or copying of this e-mail is prohibited.  If you have received it in 
error please notify the sender immediately by reply e-mail and destroy all 
copies of this e-mail and any attachments.  All liability for direct and 
indirect loss arising from this e-mail and any attachments is hereby disclaimed 
to the extent permitted by law.
#####################################################################################

• » [THIN] Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
• » [THIN] Re: Come back in time with me - MF 1.8 Printer drivers

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription