This post has already been read 37786 times!
In my blog on the overlooked, but somewhat familiar, Application Groups feature:
I advised users of a way to provide an active/active, active/passive solution at the application level without the need for any additional software other than XenApp post 7.9.
This blog will touch upon another overlooked, but somewhat familiar, practice of Printing and highlight some great scripts provided by fellow CTA Martin Therkelsen to clean your printing environment.
It seems there is plenty of information out on this subject, yet time and time again, I see fundamental mistakes being made and then users and administrators wondering why they cannot print successfully. It is also a subject that people assume you know about and therefore are afraid to ask.
When it comes to printing and design, I will always start with the below strategy and tailor it based on customer requirements:
- Limit the number of printers within your RDS sessions.
- Allow default printer only and map network printers via GPP.
- Assess and analyse printing requirements.
- Prevent print driver installation for your users.
- Use Universal print drivers or Easy Print to reduce amount of print drivers.
- Non-native print drivers should be tested using a print stress tool.
- Use Print Detective and remove any Non-Native drivers.
- Use print driver isolation to minimize crashes related to drivers.
- Roaming Users, map printers using GPP proximity based printing.
- Have the Print Server and RDS on the same O/S version.
- Clean out your printers.
Note:
This is my own set of baseline best practices and may not fall in to specific niche requirements. There are quite a lot of good 3rd party solutions out there for special circumstances but what I want to define at this point is an out of the box methodology without the need for 3rd party tools or even Citrix.
So, what does this look like in practice and how would you go about achieving the above?
Let me show you.
Limit the Number of Printers within Your Terminal Server Sessions
You can prevent printer redirection by using this local policy setting:
Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Printer Redirection
Do not allow client printer redirection
This can also be set at GPO level.
This setting will prevent client-redirected printers at the computer configuration level. Consider it an all-or-nothing switch for client redirection. This setting will override client settings.
Allow Default Printer Only and Map Network Printers via GPP
If users require client printer mapping, provide them with default printers only. If they require any additional printer, try to adjust their expectation first and deal with this issue by setting the correct default printer outside the session. This way you are still limiting the amount of printers that are redirected.
Computer Configuration / Policies / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Printer Redirection
Redirect only the default client printer
By enabling the next policy, the Client Printers will be redirected, but will not be set as the default printers.
Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection
Do not set default printer to be default printer in a session
Should users want networked printers to be mapped automatically within the session, then my out of the box suggestion is to use Group Policy Preferences (GPP) to deploy printers. You can target specific users / groups to have certain printers using item level targeting. You can also set the default printer for your users at this level.
User Configuration / Preferences / Control Panel Settings / Printers
Assess and Analyse Printing Requirements
This part is all about how to configure your printing traffic flow and when to redirect the print job based on site criteria. For example, the below setting should be used if your RDS Servers and Print Servers are within the same location and you want to save on resources on your RDS host.
Computer Configuration / Policies / Administrative Templates / Printers
Always render print jobs on the server
Disabling this setting increases the resources on your RDS server.
In my opinion, it is wise to offload print rendering to the print server when mapping Network printers, as you would want to reduce load on your RDS Server provided your Print Server has a lot of resources and is in the same site as your RDS server.
More on this can be found in an article I have highlighted at the end of this blog post!
Prevent Print Driver Installation for your Users
There are various ways to achieve this. Within your preferred GPO navigate to:
Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options
Prevent users from installing drivers
Also:
Computer Configuration / Policies / Administrative Templates / Printers
Package Point and Print – Approved Servers
Specifying a false printer name will stop users from installing printer drivers.
Most modern printers do not require Kernel mode drivers, so it is also worthwhile configuring this setting:
Computer Configuration / Administrative Templates / Printers
Disallow installation of printers using kernel-mode Drivers
Use Universal Print Drivers or Easy Print to Reduce Amount of Print Drivers
This one is self-explanatory. Again, it centers around limiting drivers on your RDS servers to avoid compatibility issues and spooler problems. My preference is to use universal drivers for session based printing when possible and if you have client redirected printers use TS Easy Print. The Easy Print settings can be found at these locations:
Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Printer Redirection
Use Remote Desktop Easy Print Printer Driver First
Note:
If Do not allow client printer redirection policy setting is enabled, the Use Terminal Services Easy Print printer driver first policy setting is ignored.
Computer Configuration / Policies / Administrative Templates / Remote Desktop Services / Printer Redirection
Specify RD Session Host server fallback printer driver behaviour
With this policy, you can define whether to use PCL, PS version or both when the Easy Printer driver will be used as a fallback scenario.
https://technet.microsoft.com/en-us/library/cc732264(v=ws.11).aspx
Note:
If you have to use printer drivers use PCL5 or postscript drivers as advised by the very knowledgeable Thomas Kotzing.
Make sure you use isolation for HP Universal Printer Drivers.
Non-native print drivers should be strained using a print stress tool
I have provided links providing detailed information on how to use the Print Stress Tool.
https://support.citrix.com/article/CTX129574
https://www.youtube.com/watch?v=pv_Up23vKiQ
https://support.citrix.com/article/CTX109374
Use Print Detective and remove any Non-Native Drivers
Print Detective is an information- gathering utility that can be used for troubleshooting problems related to print drivers. It enumerates all printer drivers from the specified Windows machine, including driver specific information. It can also be used to delete specified print drivers.
Just to highlight: it is a Citrix tool but can be used for non Citrix environments!
https://www.youtube.com/watch?v=sI7Xpy8w4Oc
Roaming Users, Map Printers using GPP Proximity Based Printing
To configure proximity based printing configure your Terminal Servers with loopback policy processing enabled and navigate towards this setting:
User configuration / Preferences / Control Panel Settings / Printers.
Right Click and add new Shared printer. Choose Action – Replace and enter shared printer details and set the printer as default.
The Common tab will allow you to do some Item-level targeting – Choose the options below.
In my example, I have targeted terminal sessions coming from a specific client IP range to be chosen. So these specific users will only get the printer mapped. Continuing with this method you can set different printers to different IP ranges. If a user moves to a different location they will get the nearest printer mapped within their Terminal Server session.
You can use a variety of settings to map the printers within Group Policy Preferences (GPP) or a combination of settings such as Client IP range and AD group. All Items are defined below:
Have the Print Server and Terminal Server on the same O/S
The print server and TS server should be on the same O/S so we avoid any issues to do with 32-bit and 64-bit drivers and driver conflicts.
If for some reason you do have some type of driver mismatch you should configure your client to server print driver mapping.
Use Print Driver Isolation to Minimise Crashes with Drivers
Computer Configuration / Policies / Administrative Templates / Printers
Execute print drivers in isolated processes
This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.
The video link provided here highlights at the end how and why to use print driver isolation to limit spooler crashes.
https://www.youtube.com/watch?v=pv_Up23vKiQ
We also have this setting to help in driver related crashes:
Computer Configuration / Policies / Administrative Templates / Printers
Isolate print drivers from applications (2012 above)
Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.
Note:
Make sure you use isolation for HP Universal Printer Drivers.
Clean Out Your Printers
Scenario:
So, it’s all very well from the outset achieving these goals, but how do you deal with the mess that has been made before your arrival? You have inherited chaos and you need to tackle the situation. The predecessor did not share your mindset and allowed all printers to be redirected, did not think about driver installation, users could map printers themselves, when users have left stale profiles have been removed incorrectly and users are accepting of all the issues because it is what they have become accustomed to.
Now your user profiles and TS servers contain a ton of incorrect printer mappings.
First things first, as quick as you can, reset user expectation and get the above steps put in to practice to form your baseline for your printing solution. You will then need to clean out the old/stale printers in the environment.
There are various ways to achieve this such as run the following when shutting down/rebooting machines:
reg delete “hkcu\printers\connections” /f
This will delete all GPP and manually added printers.
My fellow Citrix Technology Advocate Martin Therkelson, who is very good with scripting solutions, has kindly provided some scripts which must be run under both HKLM and HKCU context to aid in the above problem. There are two scripts. One for computer logon and one for user logon.
If you do not clear the HKCU part (within the profiles) the old/stale printers will be mapped back and you will see them start to re-appear.
The scripts should be run on user logon and machine startup. You could create two GPOs for this and apply to your RDS servers.
Note:
Remember to back up your registry before trying this out and always in a test environment first folks!
Script Instructions:
The script is a simple function called from the last line where you just need to change the name of the stale printer server. You can also choose to run the script with verbose.
EXAMPLE
Cleanup-StalePrinters -StalePrintServer StalePrinterServerName
EXAMPLE
Cleanup-StalePrinters -StalePrintServer StalePrinterServerName -Verbose
You need to edit both scripts so the bottom line is running the function with the parameter for the stale server.
The scripts are available here to download:
Note:
When removing stale profiles, manually make sure you do this via the Advanced System Settings / System properties / User Profiles location.
Simply right clicking and deleting the user’s folder directly will leave stuff in the registry and you can get a build-up of stale servers!
Conclusion
I have one more tale to tell on this series of the somewhat familiar but often overlooked, but until my next post, I hope some of you found this useful and it gives you a good baseline on how to move forward with your printing solutions.
Lastly, it never hurts to revisit the printing architecture and how printing works in a RDS/TS/Citrix environment. This guide is still very relevant today and is always worth revisiting. For me, it is the printing blueprint all RDS Admins should work from and it will help you assess your printing environments.
Follow me on Twitter: