W2K3 Terminal server lock down help

[cconk01]

I am currently in charge of locking down a W2K3 terminal server, which to my knowledge i have done an exceptional job at (i love locking thing down). Anyways i have restricted access to any local drives, redirected my documents to a mapped drive with quotas, removed any unwanted apps and used ntfs permissions to lock them out even further.

My problem:

When a remote user connects they bring with them there printer and is displayed to all other terminal service users. I need it so they are unable to see any local printers on the server and remove any other users from being able to see other RDP users printers but their own.

Any ideas, software or thought would be greatly appreciated.

Thanks in advance,

Peter

[cluberti]

I've seen this before where the user accounts were power users on the Terminal Server, or had Print Administrator rights assigned. Also seen this happen when the users' printers are initially installed locally via a logon script that is running under a generic service account, rather than the user (like in ScriptLogic, for example).

[cconk01]

I dont want to enable them access to any other printer then there own. currently they can see all the printers, which is what i dont want....

i think you misunderstood my question....

[cluberti]

No, I understand completely - users on a TS can see printers in other sessions and probably print to them. And I told you why this can happen - make sure you aren't doing either of these things on the client machines or the Terminal Server itself, because this is a permissions issue entirely.

[cconk01]

my apologies, i understand now. I checked and there are no batch files running to map printers, also all of the users are only domain users and another group i created called restricted, where i added the group restricted to each printer and denied them rights. This removed all the locally attached printers, but still when users log in to the server over TS users are able to see other printer sessions.