Hi we have a client requirement that when users connect to the View 5.2 platform internally (over PCoIP) they are able to get both printers mapped with location based printing GPO and any locally attached usb printers. However when a user works from outside the LAN the requirement is to disable all printer redirection - they do not want sensitive documents being printed from outside the office.
What is the best way to achieve this?
In case anyone is interested i managed to resolve this by using a vbs script run using the RunOnConnect option from the View agent GPO. It queries the volatile environmental variables for the name of the external access view connection servers. and if it matches it then checks group membership. If not a member of the remote-printing-allowed group it disables the thinprint services.
strComputer = "."
Set objNetwork = WScript.CreateObject("Wscript.Network")
Set objSysInfo = CreateObject("ADSystemInfo" )
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" & strUserDN)
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objShell = CreateObject("WScript.Shell")
'--------------------------------------------------------
' IsMember Function
'--------------------------------------------------------
Function IsMember(strGroup)
' Function to test one user for group membership.
' objUser is the user object with global scope.
' strGroup is the NT Name of the group to test.
' objGroupList is a dictionary object with global scope.
' Returns True if the user is a member of the group.
Dim objGroup
If IsEmpty(objGroupList) Then
Set objGroupList = CreateObject("Scripting.Dictionary" )
objGroupList.CompareMode = vbTextCompare
For Each objGroup In objUser.Groups
objGroupList(objGroup.sAMAccountName) = True
Next
End If
IsMember = objGroupList.Exists(strGroup)
End Function
'--------------------------------------------------------
' Check to see if client logged into external View Connection Servers
' Disable printing if not member of AD Group remote-printing-allowed
'--------------------------------------------------------
If objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV01.domain.net" _
Or objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV02.domain.net" _
Then
If IsMember("remote-printing-allowed") Then
echo "Virtual Printing Enabled"
Else
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'TPAutoConnSvc' OR Name = 'TPVCGateway'")
For Each objService in colServiceList
If objService.State = "Running" Then
objService.StopService()
Wscript.Sleep 5000
End If
errReturnCode = objService.ChangeStartMode("Disabled")
end if
end If
Hi,
Regards
Mohammed
Thanks, but that won't solve the problem - some users will use the same laptop to access the environment from both inside and outside the LAN, so we cannot ask them to change registry keys or stop services once they are working remotely. Other users will use their home PCs but again we cannot ask them to stop services or edit registry keys - they will just change it back if they want to print something.
In case anyone is interested i managed to resolve this by using a vbs script run using the RunOnConnect option from the View agent GPO. It queries the volatile environmental variables for the name of the external access view connection servers. and if it matches it then checks group membership. If not a member of the remote-printing-allowed group it disables the thinprint services.
strComputer = "."
Set objNetwork = WScript.CreateObject("Wscript.Network")
Set objSysInfo = CreateObject("ADSystemInfo" )
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" & strUserDN)
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objShell = CreateObject("WScript.Shell")
'--------------------------------------------------------
' IsMember Function
'--------------------------------------------------------
Function IsMember(strGroup)
' Function to test one user for group membership.
' objUser is the user object with global scope.
' strGroup is the NT Name of the group to test.
' objGroupList is a dictionary object with global scope.
' Returns True if the user is a member of the group.
Dim objGroup
If IsEmpty(objGroupList) Then
Set objGroupList = CreateObject("Scripting.Dictionary" )
objGroupList.CompareMode = vbTextCompare
For Each objGroup In objUser.Groups
objGroupList(objGroup.sAMAccountName) = True
Next
End If
IsMember = objGroupList.Exists(strGroup)
End Function
'--------------------------------------------------------
' Check to see if client logged into external View Connection Servers
' Disable printing if not member of AD Group remote-printing-allowed
'--------------------------------------------------------
If objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV01.domain.net" _
Or objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") = "GR1VCSV02.domain.net" _
Then
If IsMember("remote-printing-allowed") Then
echo "Virtual Printing Enabled"
Else
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'TPAutoConnSvc' OR Name = 'TPVCGateway'")
For Each objService in colServiceList
If objService.State = "Running" Then
objService.StopService()
Wscript.Sleep 5000
End If
errReturnCode = objService.ChangeStartMode("Disabled")
end if
end If