Avatar of Jack Lloyd
Jack Lloyd
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Citrix XenApp 6.5 printer redirection - strange behavior

Hi,

We're having a weird problem in our XenApp 6.5 Server desktop environment when users are coming back in via the NetScaler Access Gateway. We’re using Web Interface 5.4.2.59

In our environment, we have Citrix policies configured to automatically create client printers for users accessing XenApp through the Netscaler Access Gateway.

When the client printer is created, the resultant permissions normally mean that only that one user can print to it.  E.g. if Jane and Joe log onto the same XenApp server, and Jane has a autocreated printer called Laserjet 4000, Joe cannot print to Laserjet 4000.

The problem is, we have had three reports (months apart) regarding users printing to client printers that have been created through another user’s session. In one instance someone complained that another user was accidentally sending jobs to the printer in her home. More seriously, we had an incident where an employee was working from a third party’s premises and this resulted in a confidential document printing on an MFD belonging to another organisation.

Administrators can see network printers from other locations but, end users cannot.

The printer policies we have in place are;

Auto Create Client Printers (ICA\Printing\Client Printers) – Auto Create all client printers
Client Printer Redirection (ICA\Printing) – Allowed (We also have a filter in this to only apply to clients with a name of WI_*. This allows us to know when a client is coming in via the Netscaler)
Default Printer (ICA\Printing) – Do not adjust the users default printer

We have seen support article CTX668903 but it does not seem to be relevant.

Can anyone help with this?

Cheers!

Jack
CitrixPrinters and ScannersMicrosoft Server OSNetScaler

Avatar of undefined
Last Comment
Jack Lloyd

8/22/2022 - Mon
joharder

Both domain admins and local admins have access to all of the printer that are on a server.  Thus, if those users were granted local admin access (maybe for an app to work correctly?), those users would see all user printers that are mapped from that server.
Jack Lloyd

ASKER
Hi Joharder,

None of these accounts have ever been any sort of administrator on the session host servers

Cheers,

Jack.
Spike99

Are users connected to a server OS or desktop OS?  

We had a similar issue at my last job: users were printing on printers at completely different facilities because old TS ports weren't being cleared out.  This was a big concern for our customers because, even though the users all worked for the same company, it was a potential violation of HIPAA regulations that protect patient privacy (most of our customers were long term care facilities).  So, my coworker came up with a script that deleted old TS printer ports from the registry.  The script would run every night to clear out old printer ports: this resolved the issue & saved us from getting big fines for violating HIPAA.

I don't work at that job anymore so I can't look at the script she was running (I should have saved a copy!), but I think it must have been something like the one listed on BrianMadden.com:
http://www.brianmadden.com/forums/t/15257.aspx

There is a hotfix for this issue for Server 2008.  This technet blog post talks about it and recommends running the Inactive TS Port FixIt as a scheduled task on operating systems that aren't supported for the hotfix (Server 2003 & Windows 7):
http://blogs.technet.com/b/askperf/archive/2012/03/06/performance-issues-due-to-inactive-terminal-server-ports.aspx

The details about the 2008 hotfix is on this page. You can also download the FixIt tool here:
http://support.microsoft.com/kb/2655998
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
joharder

Good point, Alicia.

The printers that are running on the server are pulled from this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers

If you set up a registry GPP to delete the contents of this key every night, that should resolve your issue.

If it doesn't, that means that the printers were captured into the user profile.  That's a bit more complex to address.  Please try deleting contents of the reg key shown above first, and if that doesn't fix it, we can walk through some other options.
Spike99

I don't think you'd want to delete the contents of that key since that would delete all the printers installed on the server or virtual desktop.  You'd probably want to keep some of the printers (for example, if you have a PDF "printer" for creating PDF files).  You just want to clear out the orphaned TS printing ports.

I believe the TS Ports in question would show up in this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}
ASKER CERTIFIED SOLUTION
Jack Lloyd

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Jack Lloyd

ASKER
Figured this out ourselves.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.