Monday, December 12, 2011

Granting users Session Printers bassed on Active Directory Membership with Citrix.

I have been setting up the new Citrix environment where I work on one of the biggest problems we have run into is that of printing.  In the end I set the system up to use Citrix Group Policies to configure Session Printers at login time.  Furthermore I have it configured to discard the printers at log off.  The primary benefit to this approach is a one to one relationship between the printers a user has access to and the group membership in Active Directory.  There is one group for each printer in AD those groups are granted to user/department groups as needed. 

The Active Directory groups are named to match the printer names.
Printer - PNT001, Printer - PNT002-Color, Etc.

The Citrix Policies can be configured in the GPO or the Citrix Delivery Services Console as User Policies, one entry per printer. and look like so.
Name: Printer - PNT001
Setting: Session Printers   \\print01\PNT001
Filter:  Allow when user is in DOMIAN\Printer - PNT001 

When the user logs in the Citrix policy is applied.  It has one session printer line for each printer that is only applied if the user is a member of that printers security group.  As a result when adding or removing printers in AD any changes will be reflected when the users log in again.  This does not set or force down a default printer and any default set by the user will be lost on log out as the printers are discarded.  Please see the next post for dealing with allowing users to set and store their default printer preference.

No comments: