How to hide a local printer on a Terminal / XenApp Server
We had a problem recently with the adobe professional suite installing a local printer on the XenApp server, this was great for users licensed to use Adobe Professional, but for users that weren’t it gave them a possibility to infringe the licensing simply by printing to this printer.
To limit the printer, you simply need to assign custom permissions to the printer. Allowing members of a group the ability to print to it (i.e. adobe professional users) and restricting everyone else. This works brilliantly as if the user has no permissions to the printer the user cant even see it!
This can be done manually if you wish, but you can also script it using SetAcl.exe.
The documentation on their website is shockingly bad for printers, so below is an example of how to remove the permissions from a local printer:
setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl
The following will grant the “local administrators” group full control of the printer for troubleshooting:
setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘
And the following will grant the domain group “apps acrobat writer” the ability to view and print to the printer
setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:domain\Apps Acrobat Writer 9;p:print”
The whole lot together is below in Enteo scripting format:
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl’)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:emea\LPGP CTX Apps Acrobat Writer 9;p:print”‘)/?
Recent Comments