Hey Rick, we've been using this method for about a week and things are definitely better. Is the registry path you sent over the exact path? Didn't match up with the path from Microsoft KB, so we went with theirs. We are working on a new master wtsuprn.inf file to address most of the mapping issues, but I am told that will only address auto-created printers. Looking at this one piece of what you sent below: AddPrinterDrivers=1 LoadTrustedDrivers=0 EnablePrinterSecurity=1 TrustedDriverPath= In this case, no automatic driver installation occurs for anyone, and only admins can install drivers manually. I wanted to check to make sure the TrustedDriverPath was left blank intentionally. I am interested in stopping Admins from loading driver automatically as well, and this looks like it would do it. Your example shows the settings at 1,0,1, Blank. We have been using 1, 1, 0, and the local path to the drivers. We are still finding some new printers on there and aren't sure how they are making it in. I'm still tempted to lock down the registry key and the drivers/2 directory under the spool directory as well. _____ From: Pardee, Michael P. Sent: Thursday, October 21, 2004 7:36 AM To: 'thin@xxxxxxxxxxxxx' Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers Fantastic. This info alone was worth the subscription price to join the list! ; P _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] Sent: Thursday, October 21, 2004 7:01 AM To: thin@xxxxxxxxxxxxx Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers Hi Michael, Wrote the following for a customer a while ago for NT 4. Might be a bit more elegant than just screwing up kernel mode (in NT 4.0 EVERYTHING is kernel mode) printer driver additions. It's important to be able to control which printer drivers are loaded and used on Metaframe servers. While the default behaviour uses automatic installation of drivers and allows driver installation by non-admin users, this can be modified so that driver installation is restricted to administrators only, and/or from a safe printer driver source only. Four registry entries, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Print\ LanMan Print Services\Servers control how printer drivers are installed on NT systems (NT 4.0 SP5/6). AddPrinterDrivers, reg_dword, a value of 1 indicates that drivers will NOT be automatically installed as needed. EnablePrinterSecurity, reg_dword, controls who can add printer drivers. A value of 1 indicates that only admins can install printer drivers. However if LoadTrustedDrivers is set to 1 then if EnablePrinterSecurity is set to " 0", then the client looks for drivers in TrustedDriverPath\2 folder. When it is set to " 1", it (admin only) looks for drivers under TrustedDriverPath. LoadTrustedDrivers, reg_dword, a value of 1 indicates that drivers can be installed only from the trusted print server location specified by the TrustedDriverPath value. TrustedDriverPath, reg_expand_sz, defines the location of the appropriate trusted printer driver share. Eg \\server1\pdrivers <file:///\\server1\pdrivers> . It is possible to use locally stored printer drivers by using \system32\spool\drivers\w32x86 as the driver location. Some examples are: AddPrinterDrivers=0 LoadTrustedDrivers=1 EnablePrinterSecurity=0 TrustedDriverPath:\\printserver\print$ In this case, for any user, the client automatically gets the driver from \\printserver\print$\2 <file:///\\printserver\print$\2> AddPrinterDrivers=0 LoadTrustedDrivers=1 EnablePrinterSecurity=1 TrustedDriverPath=REG_EXPAND_SZ:\\printserver\print$\ In this case, the client (admin only) gets the driver from \\printserver\print$\w32x86 <file:///\\printserver\print$\w32x86> AddPrinterDrivers=1 LoadTrustedDrivers=0 EnablePrinterSecurity=1 TrustedDriverPath= In this case, no automatic driver installation occurs for anyone, and only admins can install drivers manually. regards, Rick Ulrich Mack Volante Systems _____ From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P. Sent: Thu 21/10/2004 8:49 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers Thanks Rick. I'll make the assumption that I should be able to get away with it in NT4 as well then, since it is version-2 drivers. I wouldn't have done the permissions at the file level, but we'll add that in to the testing. What kind of errors do users see in this setup? _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] Sent: Thursday, October 21, 2004 6:41 AM To: thin@xxxxxxxxxxxxx Subject: RE: [THIN] Come back in time with me - MF 1.8 Printer drivers Hi Michael, That's what I now do in my TS policy (for win2k not needed for win2k3) and also with the drivers\w32x86\2 directory made read only to boot. regards, Rick Ulrich Mack Volante Systems _____ From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P. Sent: Wed 20/10/2004 9:55 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Come back in time with me - MF 1.8 Printer drivers I am trying to prevent unwanted print drivers from loading on NT4/MF1.8 servers. Could it be as simple as restricting write access to the registry key HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-2 key? The BSODs have started making a comeback and I'd like to end this for good. Thanks in advance. > Michael Pardee > Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 <http://www.rtosoft.com/enter.asp?id=320> ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm <http://thin.net/links.cfm> *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm <http://thin.net/citrixlist.cfm> ############################################################################ ######### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this e-mail has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this e-mail is prohibited. If you have received it in error please notify the sender immediately by reply e-mail and destroy all copies of this e-mail and any attachments. All liability for direct and indirect loss arising from this e-mail and any attachments is hereby disclaimed to the extent permitted by law. ############################################################################ ######### Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. ############################################################################ ######### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this e-mail has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this e-mail is prohibited. If you have received it in error please notify the sender immediately by reply e-mail and destroy all copies of this e-mail and any attachments. All liability for direct and indirect loss arising from this e-mail and any attachments is hereby disclaimed to the extent permitted by law. ############################################################################ ######### Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.