Citrix XenApp/Terminal Services/RDS: Disable/Block/Restrict “Find Printer” Option/Button and “Browse For Container”

Scenario:

By default all the application provide Print option which comes integrated with Windows option “Find Printer” that in turn gives ability for the user to search for all the network printers as well as Printers in “Active Directory”.  Beyond this, user will as well be able to Browse through the complete AD structure via “Browse For Container” button as shown below:

Issue:

The above behavior is HIGHLY unintended for various lock down environments like RDS session/ Citrix XenAPP sessions, etc.,

Fix:

You can have the user ability to launch the “Find Printer” button disabled/blocked/restricted by setting below file ACL restriction on the file that actually provides the “Find Printer” functionality.

The “Directory Service Find” functionality is provided by “C:Windowssystem32dsquery.dll” module from Windows OS.

By restricting user access “Read and Execute” (as shown below) to the above dll will disable the “Find Printer” button

C:>cacls "C:WindowsSystem32dsquery.dll"
C:WindowsSystem32dsquery.dll TESTDOMTestUsersGroup:(DENY)(special access:)
                                                                        READ_CONTROL
                                                                        FILE_READ_DATA
                                                                        FILE_READ_EA

                                                                        FILE_EXECUTE
                                                                        FILE_READ_ATTRIBUTES

                                NT AUTHORITYSYSTEM:R
                                BUILTINAdministrators:F
                                BUILTINUsers:R
                                NT SERVICETrustedInstaller:F

C:>

NOTE: when the feature gets disable and user clicks on “Find Printer” button there would be no Windows at all (not even error prompt).