Issue with printer being listed by other users

[bust4rhymes]

Hi,

I'm having issue with users seeing other user printers. When software starts it tries to list all printer available but it cannot access some printers because of the security ownership. Users are members of a security groupe with is part of the print server security but this did not solve the issue. I'm trying to make everyone's printer private so no one else can list them but i'm out of luck.

[zniezelski]

When printerceptor re-creates the printers it will give the printers the same security a redirected printer has but the special security that hides the printers from other users that are administrators does not apply until the print spooler restarts.

There is a scheduled task that the script puts in that restarts the spooler at night if there are no users connected.

try restarting the spooler. You won't want to do this while users are connected because it will disconnect their redirected printer.

give that a try.

Thanks,

Zach

[bust4rhymes]

I tried rebooting the spooler with no changes. I found something interesting: I logged two different user account with the same printer (HP LaserJet 2727nf PCL6). User 1 logged in fine and see his printer, User 2 logged in but see both printer but Users 1 has only his own printer.

After looking at the security of both printers i found that the one that appears isolated has different user or group compared to the other. The good one has: All Application Packages, Creator Owner, System, The User itself, Print Operator, LogonSessionId_0_11581542. The Other: Creator Owner, System, The User itself. Tried deleted them, reboot then log them back but the issue still come and go.

[zniezelski]

Are the printers being re-created with full access or only being renamed?

Thanks,

Zach

[bust4rhymes]

Yes they are being re-created with full access and renamed with "PrinterName - LoginName"

Regards Christian

[zniezelski]

Was the printer re-created after the print spooler was restarted?

The script will re-create the printer and the isolation scheduled task runs later or the print spooler needs restarted to make it hidden from other users forever.

The print isn't hidden when it is first created until after the spooler restarts.

maybe the printer used for testing was freshly re-created after you restarted the spooler?

Make sure all the printers get re-created that you are going to use for testing and then restart the spooler.

Zach

[bust4rhymes]

I first let the printer re-created then i restarted the print spooler. then check with users and the problem is still there no isolation at all..

[zniezelski]

i'll see if I can re-create the issue. Are users local administrators? Is UAC turned off?

Thanks,

Zach

[bust4rhymes]

Every user are non admin and UAC is off.

Regards

Christian

[bust4rhymes]

I discover that if i uncheck the "Give full permission" printer keep isolated properly and stay on even if users are logged out. The problem now is that you dont see any printers within device and printers other than what is installled localy like PDF Creator. Word, Excell apears to be ok because printer is showing whant prompt to print. I end up with no default printer and i cannot select it. Just when i tough i solved my issues :(

Regards

Christian

[zniezelski]

Christan,

devices and printers will be all out of whack. I noticed that it gets all messed up when any software seems to programmatically makes changes to the printers.

go to a print dialog box like in notepad to see the printers.

[bust4rhymes]

Youre right its "out of wack" it was showing a strange printer name but once i clicked it the name changed correctly. That i can live with! So strangely everything i goind pretty well without the "give full acces". The only draw back are like you cant save any preferences like you advice in your documentation.

[zniezelski]

Christian,

I hope to take a look at this tonight but there is a a script called isolate.ps1 in C:\program files\printerceptor.

it puts a registry key in the registry for the printers that it re-creates to value "35328".

its possible that value changed in 2019. If you go into the registry and look at normal redirected printer values then you might be able to see what the value should be.

The value that the script sets should be the exact value that a normal redirected printers has.

Just something you may be able to check.

Thanks,

Zach

[bust4rhymes]

I made some test with isolate.ps1 and i something is not working properly. I think the $path + $Printer.Name behave differently on server 2016/2019. If i set the key Attributes to value "35328" the isolation works but when i run the script in PS by removing the check for session nothings appens

[zniezelski]

Sounds like you are on to something. Does it seem to all work when you manually enter 35328 for the printers?

Thanks,

Zach

[bust4rhymes]

Absolutly, i updated the value then restart the spooler and everything went well.

[zniezelski]

Cool. I tested in a 2019 VM with a Sharp MX-C311 driver and it worked fine.

I tested with an HP LaserJet M2727 and saw the problem you are seeing.

I commented out the session in the isolate.ps1 script and ran the task and it seemed to make it good.

The attributes may only get set by that task that is supposed to run and only make changes when there are not connected users.

I thought the script also set it in the registry when it re-created the printers so when the spooler gets restarted next time then the change will apply.

maybe isolate.ps1 never made the changes on your server?

the registry path seems to be ok.

Thanks,

Zach

[bust4rhymes]

Now that we narrowed the issue i will Do further tests tomorrow. It feels like the isolation never worked on my servers. I hot this running on 6 RDS servers so i'll start by comment the sessions check and see where this leads me.

Regards

Christian

[zniezelski]

Christian,

I'm thinking the script may have ran at some point at night when there were no users connected and is probably why it worked for that 1 printer you saw it working ok on.

I thought restarting server or restarting spooler would do it but that isolation scheduled task must run for it to set the attribute to make it hidden. Once it sets it for the printer then it'll be good for that printer forever.

I'm thinking you might just be good. Make sure you have some kind of policy that disconnects idle users at night when the scheduled task is supposed to run.

Users may see other users printers when the printer is first re-created but the next day they should not after that scheduled task runs at night.

Thanks,

Zach

[bust4rhymes]

Users are always logged out at night so this is not an issue. The problem is that the attributes fail to update randomly. What i'm gonna do is to log them one by one and make sure the attributes get updated. If required i'll run the script by hand just to be sure. Its mendatory for our software no to see each other printer because it generates lots of warnings. I should be able to make further test tomorrow morning.

Thanks

Christian

[bust4rhymes]

HI,

Just to give your some follow up. I'm more successfull now that i understand the isolation macanics. For some reasons some printer "Attributes" wont stay at "35328" but instead "33280". I think this is related to the vendor driver but i haven't been able to find all the different attributes and their meaning for my understanding.

Regards

Christian