How to hide a local printer on a Terminal / XenApp Server

We had a problem recently with the adobe professional suite installing a local printer on the XenApp server, this was great for users licensed to use Adobe Professional, but for users that weren’t it gave them a possibility to infringe the licensing simply by printing to this printer.

To limit the printer, you simply need to assign custom permissions to the printer. Allowing members of a group the ability to print to it (i.e. adobe professional users) and restricting everyone else. This works brilliantly as if the user has no permissions to the printer the user cant even see it!

This can be done manually if you wish, but you can also script it using SetAcl.exe. Below is an example of how to remove the permissions from a local printer:

setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl

The following will grant the “local administrators” group full control of the printer for troubleshooting:

setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘

And the following will grant the domain group “apps acrobat writer” the ability to view and print to the printer

setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:domain\Apps Acrobat Writer 9;p:print”

 The whole lot together is below in Enteo scripting format:

Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl’)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:Domain\GroupName;p:print”‘)/?