Windows Server 2008 R2 improves feature and performance for XenApp hosted users but amazingly Microsoft still don’t have a simple mechanism for locking drown the desktop for a multi-user Remote Desktop Services environment – there are a number of Group Policy settings available in the ADMX templates but there’s still way too much reliance on registry hacks and workarounds.
One backwards step from previous Windows Server versions is the move from the Control Panel Printers option to Devices and Printers.
On previous versions of the OS you could publish your XenApp users a Printers Control Panel icon using the command control.exe Printers and they’d get access to just the printers. The same command on Windows Server 2008 R2 gives them access to Devices and Printers – far more than they need and should have access to. Worse there doesn’t seem to be any easy way to lock this down removing the unwanted icons.
Windows Server 2008 R2 Devices and Printers
There is a work-around however. If you don’t want to publish the full Devices and Printers option you can use the following to provide access only printers using Windows Explorer.
Printers available from Explorer
To do this, publish a XenApp icon to the following:
Additional policy settings
Assuming that you’re managing printer mapping on behalf of the users, you’ll also want to use GPO ADMX settings:
‘Show only specified Control Panel items‘ to control which icons are shown and ‘Prevent addition of printers‘ to remove the ‘Add a printer‘ open from the Printers window.
I’d recommend also using ‘Always open All Control Panel Items when opening Control Panel’ as well so keep it simple.
And of course, don’t forget the usual XenApp policies you’ll want to configure to control Client Printer Mapping and what drivers to use.