During the testing phase of a new VDI rollout, there were many users complaining they had to set their default printer each time they logged into their desktop. I worked with a few of the users and noticed the issue would only occur if they were setting one of their Citrix auto-created printers as the default. We did not see the issue if the user set a network printer as their default printer. Before we go further, lets look at what the environment consisted of:
Citrix XenDesktop 5.6
Citrix Provisioning Server 6.1
VDI Image Operating System: Windows 7 Sp1
AppSense: Environment Manager 8.4
Within our AppSense configuration, we were utilizing Session Data in personalization to capture the user’s default printer which is held under the following registry string entry:
I was able to validate the issue using the personalization analysis tool via the Environment Manager Console. In the following screenshot, you will notice there is no device entry under the Windows key.
Whereas for a working user, it should look like the following:
As you can see for a working user, the device value is listed along with the name of the default auto-created printer.
In this particular implementation, a majority of the users are using network printers as their default so a Citrix Policy was in place with the setting “Do not adjust the user’s default printer” enabled. So when a user logs in, Citrix will not attempt to set their default printer which leaves the responsibility to the user to set their own.
Upon further inspection, I noticed when a user logged off, the user account ctx_cpsvcuser was deleting the registry entry for the default printer before AppSense had a chance to capture the information into the user’s Session Data. As per Citrix, the Ctx_CpsvcUser account provides the Citrix Print Manager Service with a server-local account to perform certain functions. By default, the account has only the necessary permissions, group memberships, and rights needed to perform those functions.
So in order to get around this issue without breaking any of Citrix’s printing functions, I modified the permissions on the windows key (HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows) and removed all user accounts including the user Ctx_CpsvcUser from the permissions and added Domain users to have Full control. Keep in mind, since we have a policy within Citrix to not adjust the user’s default printer, there was no need for the Citrix account to have access to this registry key. Once I logged off of my VDI desktop, my default auto-created printer was captured by AppSense. For this implementation, we were using a modified default user profile on the desktop image. In order for the change to affect all users, I then modified the registry key within the default user’s registry (ntuser.dat) so when a user logged in, there generated local profile will have the correct permissions on the key.
The VDI desktops were being provisioned with Citrix provisioning server. This presented a new problem. Each time the virtual machines boot up and a user logs in, the Citrix account is automatically added back to the security permissions of the registry key with full control. To get around this from occurring, I used a PowerShell script to modify the permissions on the key upon user login. This script was added to the AppSense EM configuration at the Logon Node. By no means am I a PowerShell expert, so I am sure it can be done in a 1000 better ways, but the following is what I used.
The result on the permissions does not remove the ctx_cpsvcuser account from the access control list on the registry key, but rather removes the permissions from the user. If we look at security tab for the key, it will look like the following once the script runs:
As you can see, the user account is still listed under the permissions, however it no longer has to right to modify anything under the registry key. Once this is done, when a user logs off of their VDI desktop, the Citrix account will no longer be able to modify the default printer value allowing AppSense to capture the information into the user’s session data.
© 2014 Eddie Kwasnik “the Wolf” All Rights Reserved