Hi Mike, I wasn't game to add anything extra to that too long post. The reason for the write access to %systemroot%\system32\spool\drivers\w32x86\3 is actually not that hard. The Microsoft unidriver mechanism uses a graphics driver definition file, *.gpf for graphics printers and postscript definition files, *.pdf for Postscript printers. These are text files that basically define the printer capabilities and escape sequences etc that the printer uses to change fonts, font sizes and just about everything else. Before you can use a unidriver printer driver the spooler has to "compile" the .gpd file into a .bud file ( and .pdf to .bpd). The .bud file also includes either time/date stamps or checksums of all the driver components. HP unidriver-based printer drivers use a master.gpd file, and also a bunch of "include" .gpd files for common HP printer driver components. All of these .gpd files are compiled into the .bud file. We had a lovely time with a customer that had about 170 print queues (all HP) and about 20 Citrix servers. Things were stable and working well until one day they got a new HP printer. Since we'd drummed into them to test all printer drivers before rolling them into production, they did. The printer driver was fine, but what happened afterwards wasn't. Multiple printers didn't work anymore, but when a user called up to say they couldn't print, an admin would log on to the same server, try and print, successfully, and then users could print to that printer. The next day the user would log on to another server and couldn't print again. So an admin would log on to test the server and things worked after that. That went on for 3 days, 800 users, about 40 affected printer queues and more helpdesk calls than I prefer to think about 'tli we figured out what was happening. The new driver installation updated most of the include .gpd files and it turns out that when any of a driver's components are updated the .bud file has to recompiled before you can use the driver. But when a non-admin user tried to use a printer driver that needed recompilation, they didn't have write access to %systemroot%\system32\spool\drivers\w32x86\3 so the compile didn't happen. When an admin tried to do the same thing the compile worked, the .bud file was created and printing worked, for that server. When we gave users write access to %systemroot%\system32\spool\drivers\w32x86\3 the compiles all worked and the problems went away and I've never seen that issue since. So that's why I give users write access to %systemroot%\system32\spool\drivers\w32x86\3. regards, Rick --- Ulrich Mack Commander Australia On 2/3/07, Mike MacDonald <mike5287@xxxxxxxxx> wrote:
Rick Mega-humongous-thanks for the informative post - I greatly appreciate it! First off, with about 90% thin clients in the office, we are stuck with network printing. I had looked several years ago at 3rd party and didn't go with them because of that. While it would help in some situations, our primary concern is network printing. And I see about 8 drivers at quick glance that exist on your bad list and on our servers :( I am going to have to read up on the "why" behind the write permissions in %systemroot%\system32\spool\drivers\w32x86\3 permissions, but I just checked and users currently have read-only access. Something I will remedy on Monday. You are right about the trusted driver source because the client support folks who setup the printers are able to install drivers on the print servers that are trusted sources - too many people doing too many things unchecked has made for a collosal mess. The part that is most confusing to me is that for about a year everything was fine. Then something changed where all of a sudden client print drivers were getting installed. In CMC the policy was (and is) there and set to not automatically install drivers - yet they do get installed - even by non-admins. I cleaned up drivers on one server Monday and double checked the policy was set correctly, and by Weds 27 new drivers got installed - none of them by admins. I can only assume a Microsoft update or client change occurred to cause this to start happening. Even now the only way I have been able to stop new drivers, even after checking policies, was to rename the ntprint.inf. I am going through everything related to this again to make sure nothing got changed but thus far have found nothing. Again - thanks for the time to post your reply. I have a test server and I will be going through every driver we have with the addprinter utility as well as using it to test all new drivers. I will also be doing the policy to stop RDP printer autocreation when admins login to servers. Unfortunately the hardest part is changing the drivers around which in our environment is going to cause problems. "This app only prints correctly with PCL drivers, and this app only with PS" type stuff. But it just needs to be done so we can get through this ugliness and hopefully out of Printer Hell(TM) Seriously - a big thanks to Rick, Mark Malcom, Brian and everyone for all the help! -Mike MacDonald