[THIN] Re: Come back in time with me - MF 1.8 Printer drivers
- From: "Pardee, Michael P." <MPardee@xxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Thu, 28 Oct 2004 10:38:57 -0400
Hey Rick, we've been using this method for about a week and things are
definitely better. Is the registry path you sent over the exact path?
Didn't match up with the path from Microsoft KB, so we went with theirs.
We are working on a new master wtsuprn.inf file to address most of the
mapping issues, but I am told that will only address auto-created printers.
Looking at this one piece of what you sent below:
AddPrinterDrivers=1
LoadTrustedDrivers=0
EnablePrinterSecurity=1
TrustedDriverPath=
In this case, no automatic driver installation occurs for anyone, and only
admins can install drivers manually.
I wanted to check to make sure the TrustedDriverPath was left blank
intentionally. I am interested in stopping Admins from loading driver
automatically as well, and this looks like it would do it. Your example
shows the settings at 1,0,1, Blank. We have been using 1, 1, 0, and the
local path to the drivers. We are still finding some new printers on there
and aren't sure how they are making it in.
I'm still tempted to lock down the registry key and the drivers/2 directory
under the spool directory as well.
_____
From: Pardee, Michael P.
Sent: Thursday, October 21, 2004 7:36 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
Fantastic. This info alone was worth the subscription price to join the
list! ; P
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
Sent: Thursday, October 21, 2004 7:01 AM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
Hi Michael,
Wrote the following for a customer a while ago for NT 4.
Might be a bit more elegant than just screwing up kernel mode (in NT 4.0
EVERYTHING is kernel mode) printer driver additions.
It's important to be able to control which printer drivers are loaded and
used on Metaframe servers. While the default behaviour uses automatic
installation of drivers and allows driver installation by non-admin users,
this can be modified so that driver installation is restricted to
administrators only, and/or from a safe printer driver source only.
Four registry entries, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Print\ LanMan Print Services\Servers control how printer drivers
are installed on NT systems (NT 4.0 SP5/6).
AddPrinterDrivers, reg_dword, a value of 1 indicates that drivers will
NOT be automatically installed as needed.
EnablePrinterSecurity, reg_dword, controls who can add printer drivers. A
value of 1 indicates that only admins can install printer drivers. However
if LoadTrustedDrivers is set to 1 then if EnablePrinterSecurity is set to "
0", then the client looks for drivers in TrustedDriverPath\2 folder. When it
is set to " 1", it (admin only) looks for drivers under TrustedDriverPath.
LoadTrustedDrivers, reg_dword, a value of 1 indicates that drivers can
be installed only from the trusted print server location specified by the
TrustedDriverPath value.
TrustedDriverPath, reg_expand_sz, defines the location of the
appropriate trusted printer driver share. Eg \\server1\pdrivers
<file:///\\server1\pdrivers> . It is possible to use locally stored printer
drivers by using \system32\spool\drivers\w32x86 as the driver location.
Some examples are:
AddPrinterDrivers=0
LoadTrustedDrivers=1
EnablePrinterSecurity=0
TrustedDriverPath:\\printserver\print$
In this case, for any user, the client automatically gets the driver from
\\printserver\print$\2 <file:///\\printserver\print$\2>
AddPrinterDrivers=0
LoadTrustedDrivers=1
EnablePrinterSecurity=1
TrustedDriverPath=REG_EXPAND_SZ:\\printserver\print$\
In this case, the client (admin only) gets the driver from
\\printserver\print$\w32x86 <file:///\\printserver\print$\w32x86>
AddPrinterDrivers=1
LoadTrustedDrivers=0
EnablePrinterSecurity=1
TrustedDriverPath=
In this case, no automatic driver installation occurs for anyone, and only
admins can install drivers manually.
regards,
Rick
Ulrich Mack
Volante Systems
_____
From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P.
Sent: Thu 21/10/2004 8:49 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Come back in time with me - MF 1.8 Printer drivers
Thanks Rick. I'll make the assumption that I should be able to get away
with it in NT4 as well then, since it is version-2 drivers. I wouldn't have
done the permissions at the file level, but we'll add that in to the
testing.
What kind of errors do users see in this setup?
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
Sent: Thursday, October 21, 2004 6:41 AM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] Come back in time with me - MF 1.8 Printer drivers
Hi Michael,
That's what I now do in my TS policy (for win2k not needed for win2k3) and
also with the drivers\w32x86\2 directory made read only to boot.
regards,
Rick
Ulrich Mack
Volante Systems
_____
From: thin-bounce@xxxxxxxxxxxxx on behalf of Pardee, Michael P.
Sent: Wed 20/10/2004 9:55 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Come back in time with me - MF 1.8 Printer drivers
I am trying to prevent unwanted print drivers from loading on NT4/MF1.8
servers. Could it be as simple as restricting write access to the registry
key HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT
x86\Drivers\Version-2 key?
The BSODs have started making a comeback and I'd like to end this for good.
Thanks in advance.
> Michael Pardee
>
Email Confidentiality Notice: The information contained in this transmission
is confidential, proprietary or privileged and may be subject to protection
under the law, including the Health Insurance Portability and Accountability
Act (HIPAA). The message is intended for the sole use of the individual or
entity to whom it is addressed. If you are not the intended recipient, you
are notified that any use, distribution or copying of the message is
strictly prohibited and may subject you to criminal or civil penalties. If
you received this transmission in error, please contact the sender
immediately by replying to this email and delete the material from any
computer.
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? -- Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id=320
<http://www.rtosoft.com/enter.asp?id=320>
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm <http://thin.net/links.cfm>
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm <http://thin.net/citrixlist.cfm>
############################################################################
#########
This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this e-mail has
been sent to you in error. If you are not the intended recipient any use,
disclosure or copying of this e-mail is prohibited. If you have received it
in error please notify the sender immediately by reply e-mail and destroy
all copies of this e-mail and any attachments. All liability for direct and
indirect loss arising from this e-mail and any attachments is hereby
disclaimed to the extent permitted by law.
############################################################################
#########
Email Confidentiality Notice: The information contained in this transmission
is confidential, proprietary or privileged and may be subject to protection
under the law, including the Health Insurance Portability and Accountability
Act (HIPAA). The message is intended for the sole use of the individual or
entity to whom it is addressed. If you are not the intended recipient, you
are notified that any use, distribution or copying of the message is
strictly prohibited and may subject you to criminal or civil penalties. If
you received this transmission in error, please contact the sender
immediately by replying to this email and delete the material from any
computer.
############################################################################
#########
This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this e-mail has
been sent to you in error. If you are not the intended recipient any use,
disclosure or copying of this e-mail is prohibited. If you have received it
in error please notify the sender immediately by reply e-mail and destroy
all copies of this e-mail and any attachments. All liability for direct and
indirect loss arising from this e-mail and any attachments is hereby
disclaimed to the extent permitted by law.
############################################################################
#########
Email Confidentiality Notice: The information contained in this transmission
is confidential, proprietary or privileged and may be subject to protection
under the law, including the Health Insurance Portability and Accountability
Act (HIPAA). The message is intended for the sole use of the individual or
entity to whom it is addressed. If you are not the intended recipient, you
are notified that any use, distribution or copying of the message is
strictly prohibited and may subject you to criminal or civil penalties. If
you received this transmission in error, please contact the sender
immediately by replying to this email and delete the material from any
computer.
Other related posts:
