Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

[Aaron Anderson]

Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

I've got a pair of Terminal Servers. I have enabled the Fallback printer
driver option. I have enabled the option in group policy to prevent users
from installing printer drivers. I wanted to only have 2 or 3 print drivers
on each server. an HP 1020, LaserJet4, and my 2x Universal Driver.

Every now and then, a new printer driver shows up on the system and I get an
event as shown in the snippet.

I've logged into the systems from half a dozen different machines with
various printers installed. I've tried user accounts that are
administrators, and regular users. The drivers from the computers I have
tested are not copied to the TS, and the fallback driver does it's thing,
properly.

This is all at a clients office. They have one lady there who is slightly
crazy, and will lie about what she does and doesn't do on the network
equipment. I honestly believe that she's lying when she says she isn't
adding these drivers.


What can I do to track this down?

Type: WarningDate: 1/9/2008Time: 5:22:56
PMEvent: 20Source: PrintCategory: NoneUser:
\SYSTEMComputer: GWIKTS01Descriptionrinter Driver Ricoh Aficio
AP4500 PCL for Windows NT x86 Version-3 was added or updated. Files:-
UNIDRV.DLL, UNIDRVUI.DLL, RIAP4500.GPD, UNIDRV.HLP, RIAFRES.DLL, UNIRES.DLL,
RIAP450X.GPD, RIAF5MAC.GPD, TTFSUB.GPD, STDNAMES.GPD.

 

[Vera Noest [MVP]]

Re: Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

Re: Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

How does she get past the GPO setting which prevents users from
installing printer drivers? Is she an Administrator? Does she
temporarily chnage the GPO?
Even if she is an Admin and you can't change that, can't you change
the security filtering of the GPO? Create a special Administrator
account, let's call it GPOadmin, which only *you* know the password
of, and use that to edit GPOs. Add this account to the security
filtering of the GPO, with full permissions. Then remove the
"Modify" rights from Administrators. When you want to edit the GPO,
you can start the GPeditor with the Runas command to run it under
the GPOadmin account.

You could try to enable auditing of file access and then configure
auditing for some of the files or folders mentioned in the Event.
That should give you a username when it happens again.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Aaron Anderson" <aaron@nomail.com> wrote on 12 jan 2008 in
microsoft.public.windows.terminal_services:

> I've got a pair of Terminal Servers. I have enabled the
> Fallback printer
> driver option. I have enabled the option in group policy to
> prevent users from installing printer drivers. I wanted to only
> have 2 or 3 print drivers on each server. an HP 1020, LaserJet4,
> and my 2x Universal Driver.
>
> Every now and then, a new printer driver shows up on the system
> and I get an event as shown in the snippet.
>
> I've logged into the systems from half a dozen different
> machines with various printers installed. I've tried user
> accounts that are administrators, and regular users. The drivers
> from the computers I have tested are not copied to the TS, and
> the fallback driver does it's thing, properly.
>
> This is all at a clients office. They have one lady there who is
> slightly crazy, and will lie about what she does and doesn't do
> on the network equipment. I honestly believe that she's lying
> when she says she isn't adding these drivers.
>
>
> What can I do to track this down?
>
> Type: WarningDate: 1/9/2008Time:
> 5:22:56 PMEvent: 20Source: PrintCategory:
> NoneUser: \SYSTEMComputer: GWIKTS01Descriptionrinter
> Driver Ricoh Aficio AP4500 PCL for Windows NT x86 Version-3 was
> added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL,
> RIAP4500.GPD, UNIDRV.HLP, RIAFRES.DLL, UNIRES.DLL, RIAP450X.GPD,
> RIAF5MAC.GPD, TTFSUB.GPD, STDNAMES.GPD.

 

[Aaron Anderson]

Re: Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

Re: Prevent users from installing print drivers & Fallback terminal services enabled... print drivers still being added.

I don't know how they're getting past it. I've logged in with a users
account that keeps adding her IBM laser printer from her computer. I keep
deleting it, and it keeps coming back. I've tried her account from several
locations and the the TS FallBack driver comes into play for everything.
(she's in a remote office and I don't have access to her printer)

Right now I don't believe that this lady is adding the drivers. They've
appeared when I know she is in meetings, etc. So that's out of the question.
So right now the GPO's I have in place apply to everyone, even
administrators.

I don't need to enable the auditing, becuase I have a specific account that
uses an IBM laser printer that always re-appears.

I am totally baffled.




"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9A24D97B195E8veranoesthemutforsse@207.46.248.16...
> How does she get past the GPO setting which prevents users from
> installing printer drivers? Is she an Administrator? Does she
> temporarily chnage the GPO?
> Even if she is an Admin and you can't change that, can't you change
> the security filtering of the GPO? Create a special Administrator
> account, let's call it GPOadmin, which only *you* know the password
> of, and use that to edit GPOs. Add this account to the security
> filtering of the GPO, with full permissions. Then remove the
> "Modify" rights from Administrators. When you want to edit the GPO,
> you can start the GPeditor with the Runas command to run it under
> the GPOadmin account.
>
> You could try to enable auditing of file access and then configure
> auditing for some of the files or folders mentioned in the Event.
> That should give you a username when it happens again.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Aaron Anderson" <aaron@nomail.com> wrote on 12 jan 2008 in
> microsoft.public.windows.terminal_services:
>
>> I've got a pair of Terminal Servers. I have enabled the
>> Fallback printer
>> driver option. I have enabled the option in group policy to
>> prevent users from installing printer drivers. I wanted to only
>> have 2 or 3 print drivers on each server. an HP 1020, LaserJet4,
>> and my 2x Universal Driver.
>>
>> Every now and then, a new printer driver shows up on the system
>> and I get an event as shown in the snippet.
>>
>> I've logged into the systems from half a dozen different
>> machines with various printers installed. I've tried user
>> accounts that are administrators, and regular users. The drivers
>> from the computers I have tested are not copied to the TS, and
>> the fallback driver does it's thing, properly.
>>
>> This is all at a clients office. They have one lady there who is
>> slightly crazy, and will lie about what she does and doesn't do
>> on the network equipment. I honestly believe that she's lying
>> when she says she isn't adding these drivers.
>>
>>
>> What can I do to track this down?
>>
>> Type: WarningDate: 1/9/2008Time:
>> 5:22:56 PMEvent: 20Source: PrintCategory:
>> NoneUser: \SYSTEMComputer: GWIKTS01Descriptionrinter
>> Driver Ricoh Aficio AP4500 PCL for Windows NT x86 Version-3 was
>> added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL,
>> RIAP4500.GPD, UNIDRV.HLP, RIAFRES.DLL, UNIRES.DLL, RIAP450X.GPD,
>> RIAF5MAC.GPD, TTFSUB.GPD, STDNAMES.GPD.