Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Citrix Published Desktop Configuration

Status
Not open for further replies.
Ndoki

Ndoki

MIS
Oct 28, 2004
4
0
0
US
Hello all,

I have converted a bunch of FAT Clients into Thin Clients and I use Internet Explorer in the Kiosk-Mode to point to the URL of my Citrix Web Interface Login Page. User can login and receives a desktop. Problem: User sees everything thing.

I want to lock down the desktop the user sees and I am not sure how to do this.

My set up is:

1 Domain Controller (windows 2000 advance server). Citrix is not installed on this machine.

1 Citrix MetaFrame XP Server MF3 (windows 2000 advance server). This server is a member of the domain.

User accounts are set up on the Domain Controller in active directory.

Where (on what server) and how do I set up policies and/or profiles so users see a locked down desktop but Administrators see all.

Any help on this would really get me out of a bind.

Thanks
 
Sort by date Sort by votes
I had a similar question a couple days ago. Here's what I did:

On the server running AD:
- Create an OU container called Terminal Services
- Locate the computer running Citrix, in the domain tree
- Right click it and move it to the newly created
OU called "Terminal Services"
- Right click the OU "Terminal Services and choose Properties

- On the tab labeled Group Policy, create a new Group Policy called "Terminal Services" or something similar
- On the Group Policy tab of the "TS" OU, the new GPO should be highlighted.
- choose Edit
- The GPO editor window opens , now choose
Computer Config > Admin Templates > System > Group Policy
- Enable the policy called "Loopback processing mode" and set it to Replace.
- Go through the User Config portion of the GPO and enable or disable what you want to restrict.
- Close the GPO editor
- On the Terminal Services properties dialog box,
- Click OK on the "Terminal Services" properties dialog box, on the Group Policy tab, click Properties
- Then go to the last tab labeled Security
- Make sure that Authenticated Users has an "Allow" check next to "Apply Group Policy"
- Click the Add button
- Type the Name of your Citrix Server
- Make sure the Citrix Server has a check on "Allow" on "Apply Group Policy"
- If the Administrator's group isn't already listed, add them to the list and check DENY. This prevents the new GPO from being applied to the Administrators group.
- Close AD
- Open a command line prompt and type
secedit /refreshpolicy machine_policy /enforce
- press enter
- then type this:
secedit /refreshpolicy user_policy /enforce
DONE!

You may need to open a command line on the Citrix server and repeat the commands to refresh the GP.

I don't think I've left anything out. Let me know if that does it or you found another way.
 
Upvote 0 Downvote
Thank you for your reply.

I performed all of the steps you gave.

The changes affect the doamin controller desktop. Any authenticated user who logs in, the desktop remains unchanged.

I created an OU within AD an gave it a name of 'Terminal Services' and moved my citix server inside this OU.

I created a new Group Policy, enabled 'Loopback' and made the the changes I wanted in the new group policy.

Went to the 'security' tab and made sure 'Authenticated Users' have an 'Allow' next to 'Apply Group Policy'. I added my Citrix server and made sure it has 'Allow' next to 'Apply Group Policy'.

The Administrators group has a 'Deny' so they are not affacted be the the new policy.

I then applied secedit /refreshpolicy machine_policy /enforce and secedit /refreshpolicy user_policy /enforce.

Did I miss something? Seems like this should work.
Thanks





 
Upvote 0 Downvote

What kinds of policies are you trying to enforce?

Is there already a default group policy at the domain level?

Make sure the new GPO you created is at the Terminal Services OU only.

Also, the Citrix server can only be a member of Terminal Services OU. It cannot be listed in any other group in AD.

Did you try to do the secedit commands on the Citrix server?

That may do the trick. Also, check the event log to see if the GPO's updated correctly.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

damienenglish
  • Locked
  • Question
Citrix Replication Fault Detection
Replies
0
Views
54
damienenglish
damienenglish
DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
120
ntinlin
ntinlin
Hfnet
  • Locked
  • Question
Office 2010 KMS stoppped working on PVS Citrix
Replies
0
Views
47
Hfnet
Hfnet
dpsmith
  • Locked
  • Question
Citrix Policy disappears?
Replies
0
Views
46
dpsmith
dpsmith
SpenceWaller
  • Locked
  • Question
Citrix CSG - Allow users to change password
Replies
0
Views
46
SpenceWaller
SpenceWaller

Part and Inventory Search

Sponsor

Back
Top