- Published on : 22 June 2019 at 11:44 UTC
When you use the RDS solution or any other solution based on the RDP protocol, you also benefit from the redirection of resources (drives redirection, smart card readers redirection, ...), as well as the redirection of printers.
Nevertheless, this also has disadvantages.
- setting up these redirects (transparent to the user) takes time and can significantly slow down the connection time to your RDS platform if you connect from the outside (from the Internet).
It may be interesting to limit the number of resources and/or redirected printers to improve the connection time of your users
- redirecting the resources available on the client workstation can also constitute a security breach if the client workstation is infected or if a malicious person uses the redirection of drives to get sensitive data stored on your server with a simple copy/paste.
In short, we recommend that you disable at least the redirection of drives if the user doesn't need this feature.
Finally, know that there are several ways to manage these redirections of resources and/or devices.
But be aware that there is a priority that Windows will respect :
- Group policies (GPO)
- Active Directory Users and Computers console
- Collection properties
- Options available in the RDP client
At the end of the tutorial, you will also find informations about printer redirection :
Note : GPOs have priority over the rest.
- Manage resource and printer redirections through GPOs
- Manage resource and printer redirections through the console : Active Directory Users and Computers
- Manage resource and printer redirections through the RDS server
- Manage resource and printer redirections through the RDP client options
- Information about printer redirection
To begin, we recommend that you create a new OU on your Active Directory server.
Name it for example : RDS
Move your RDS session host servers to this new RDS folder.
Confirm the movement of the object.
Our RDS session host server is now part of our organizational unit of the same name.
Then, open the "Group Policy Management" program.
In "Forest ... -> Domains -> [your domain name]", right click on the "RDS" folder and click on "Create a GPO in this domain, and link it here".
Note : if you have not created an organizational unit, you can edit the "Default Domain Policy" policy.
Named this GPO object : RDS GPO.
Right click "Edit" on this new object.
Then, go to : User Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host.
In this folder, you will find group policies to manage including :
- printer redirection
- device and resource redirection
For the "User Configuration" section, the printer redirection policies will be limited :
- force the use of the Easy Print printer driver : this allows your server to print directly to the printers of the client PC without having to install the driver for each printer on the server.
This is rather practical at security level, because it limits server-side installations and therefore the risk of problems or infections.
- redirect only the default client printer : this makes it possible to limit the number of printers to redirect and thus to save a part of the bandwidth.
Note that if you use the same path via "Computer Configuration", you will have more policies (including these 2 policies).
The number of policies for "Device and Resource Redirection" will also be limited for the user configuration, you will be able to :
- disable clipboard redirection : this may allow you to limit the theft of data or the transfer of infected files to the server, for example.
- allow time zone redirection : this can be useful if the server is not in the same country as the user.
If you go through the computer configuration, you will see that you will have access to 5 policies instead of 2 :
- Do not set the default printer to be default printer in a session
- Do not allow client printer redirection : to completely disable printer redirection from the client PC
- Use Remote Desktop Easy Print printer driver first (for the same reason as the user configuration)
- Specify RD Session Host server fallback printer driver behavior : allows you to force the use of a PCL or PS driver (if you know what you are doing)
- Redirect only the default client printer
Path : Computer configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Printer Redirection.
For device and resource redirection available for the computer configuration, you will be able to :
- allow or not the audio / video playback and/or recording
- limit audio playback quality
- disable the redirection of the clipboard, COM and LPT ports (printers), drives (hard disks), ...
- disable Plug-and-Play device redirection to not automatically redirect USB keys and other plug-and-play compatible USB devices
- and more
2. Manage resource and printer redirections through the console : Active Directory Users and Computers
Although this is possible, it will not be possible if you have a lot of users, because these options are available in the properties of each user.
In addition, you will only have 3 options :
- connect client drives at logon
- connect client printers at logon
- default to main client printer (to redirect by default, only the one that is set as the default printer on the client machine)
In other words, our printer "HP DeskJet 3630 series" (with the green icon) in our case.
Although it's recommended to manage these resource redirections via group policies (for ease, speed and security), here's how to do it from your RDS server.
For this, you will have to open the server manager and go to the properties of each collection.
To do this, go to : Remote Desktop Services -> Collections -> [Your collection name] -> Tasks -> Edit Properties.
Then, in the "Client Settings" section, you can enable or disable the redirection of :
- audio and video playback
- audio recording
- smart cards
- drives (hard disks partitions)
You will also be able to :
- allow or not client printer redirection
- choose if you want to redirect only the client default printing device
- if you want to use the Remote Desktop Easy Print print driver first : this allows you to avoid installing many printer drivers on the server and speed up (according to Microsoft) the time it takes to printing on the client's printer