PDF printing: user A clicks "print" and it prints to user B's computer!
I had a user call me up very distressed b/c she had tried to print a database report (using PDF to file, the only printer we have allowed) and turned out that it printed on another user's local computer instead of hers! Confidential information was shared unwillingly and she was very upset.
I looked further and it looks like in a shared account (multiple users logged into Win2003 w/ same username and password) when a user goes to print she can see a printer for each active session. We have "make pdf to file printer default in win2000/20003" checked.
What is going on? When a user goes to print from an application on our win2003 application server, she should only see ONE printer, not a printer for every active session. This seems like a horrible breach of security, trust, etc.
Hope I'm doing something wrong here.
We cannot create a new windows profile for each new user so we need to get this working in an environment where most of our accounts are shared.
Thank you
[1017 byte] By [
cbarbera] at [2007-11-27 0:13:26]
# 1
Sorry I can't help, but if there's confidential information on a network, shared accounts are very evil. They're bad enough normally, but that makes it a lot worse. Under many regulations, such as PCI, they're not permitted at all.
# 2
agree with DoxBrian, that shared accounts are a part of the problem. The other part of the problem might be the user's Windows GPO/Domain privileges. For instance if her user is a Power/Admin User or Print Admin, then they will see all printers. This is not an SSGD security hole but a Windows Terminal Server function. Check to see if she falls under one of the types above and try to restrict her if you can to just being a non Admin user to see if she stills sees all mapped printers.
# 3
Thanks for your help as this is urgent. I've had to shut down printing until we address this.
I'm not using shared accounts in SGD, just shared in windows.
All users only are members of the default "users" group and the default "remote desktop users" groups.
They still see multiple Print to PDF File printers, plus the regular printer "HP Color LaserJet 8500 PS" printer. Some try to print from there which of course creates errors too.
If this is a windows TS issue, please tell me how to resolve it. I've followed all instructions in the SGD manual that I could come across. Have spent several hours at this.
PLEASE HELP!
# 4
>> I'm not using shared accounts in SGD, just shared in windows.
yes, this is a problem with printing . . . do you see other's printers mapped using the MS TSC?
per MS
"redirected printers cannot be shared between processes that are running under different user accounts."
Have you tested using unique accounts on Windows?
http://groups.google.com/group/microsoft.public.windows.terminal_services/brows e_thread/thread/bddd6e374c3c81ca/7c0087d459fe5eb7%237c0087d459fe5eb7
You should contact MS Support, if shared accounts is the root cause.
# 5
OK, have done some testing and speaking w/ Microsoft people. If I understand correctly, here is what's happening:
When user A logs in, SGD autocreates a PDF printer for her with title "...session 1" and modifies the registry HKCU\Software\Microsoft\Windows NT\CurrentVerion\Windows\Device to make this newly created printer as the default printer.
If she prints, it goes to her local computer.
Then when user B logs in SGD does the same thing - it autocreates a printer and modifies the registry to set the default printer. Only now the default printer is "...session 2. Since SGD modifies the same registry key, user A's default printer is now "...session 2" as well so if user A prints to the default printer, the job will end up on user B's local computer because user B's session is session 2.
Sun - since SGD handles session management, can't it tell which RDP session a print job is coming from and direct it to the correct client?
