Sunday, March 4, 2012

Creating a new security policy and applying it via GPO to disable VMware View 5.0 Thinprint’s “TP AutoConnect Service” and “TP VC Gateway Service” service

I recently received quite a few complaints that users were unable to change settings such as page sizes and colour on printers they used to be able to do so after they were migrated to VMware View virtual desktops.  I paid a visit to the client office and noticed that all of the users had the same printer mapped 2 or more times and the redundant mappings were all redirected printers using Thinprint drivers:

clip_image002[4] 

From there on, their complaint was no surprise since the Thinprint drivers are no where close to the full blown drivers that the printer manufacturer supplies.  The solution was simple—disable these Thinprint redirected printers.  The difficulty?  The following VMware KB does not appear to work:

Disabling ThinPrint on a VMware View Client
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003626

I combed through the KB and made sure I followed the exact instructions but wasn’t able to get Thinprint disabled:

clip_image002[6]clip_image002[8]

clip_image002[10]

I gave up on the KB after 15 minutes when I realized I probably can’t turn off Thinprint with these registry changes so I decided to simply use GPO to disable the:

  • TP AutoConnect Service
  • TP VC Gateway Service

… services and the challenge we’ll immediately encounter is that the default security template that is supplied by your domain controllers won’t have an entry for this service since it’s not a standard Windows service.  Having ran into a similar situation in the past, I knew I’ll need to create a new security template so the following shows the process of doing this.

**Note: I also understand that we could use batch files to accomplish this but I prefer using GPOs when I’m able to.

Start by logging onto a virtual desktop with these 2 services and run the Microsoft Management Console:

clip_image002[12]

Add the Security Templates snap-in:

clip_image002[14]

clip_image002[16]

clip_image002[18]

You’ll notice that sometimes you’ll see default security listed and sometimes you won’t.  The security templates are usually stored in the C:\Windows\security\templates folder but you’ll notice that even if you update the template search path to that folder, you may not see templates listed:

imageclip_image002[20]

clip_image002[22]

Note that whether you see any templates listed is not important as we’ll be creating a new one anyways so continue by select the path you just created and choose New Template:

image

Give the new template a name:

clip_image002[24]

Navigate to the System Services node:

clip_image002[26]

Change the:

  • TP AutoConnect Service
  • TP VC Gateway Service

… to Disabled.

clip_image002[28]

clip_image002[30]clip_image002[32]

clip_image002[34]

Proceed with saving the template to somewhere accessible by your domain controller:

image

clip_image002[36]

Log onto your domain controller and open Group Management Policy Console and create a new policy:

image

Navigate to Computer Configuration –> Windows Settings –> Security Settings –> System Services:

image

Right click on the Security Settings node and select Import Policy…:

image

Select the inf file you saved your template as:

image

Verify that the

  • TP AutoConnect Service
  • TP VC Gateway Service

… has been disabled:

image

Close the GPO and verify the settings:

image

Test this on one of your desktops by running gpupdate /force and gpresult –r –scope computer to verify that the policy has been applied.  Once the policy has been applied, you should now see the Thinprint redirected printers disappear from the Devices and Printers window.

2 comments:

Anonymous said...

Helped me. Thanks! +1

Anonymous said...

Sweet! That helped us a lot!