[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 466
  • Last Modified:

AD Group Policy and Laptop Roll-out

Hi,

We are a Citrix shop with group policy in effect for a Windows 2003 domain. When the user logs into Citrix, I have a folder redirection in the policy that gives the users in a particular department that desktop. Well, we are rolling out laptops to a few people and would like them to use their domain/username when logging into the laptop. What I'm seeing it that when they do that, their desktop from Citrix is loading on the laptop. I would like them to be able to log into the laptop and just have a normal desktop provided by the laptop. Is there something on the laptops local policy to block some of those things from happening? I also have the AD GP set to delete roaming profiles on logoff. Obviously I don't want that on the laptop either.

Any help would be appreciated,
Matt
0
fairrington
Asked:
fairrington
  • 4
  • 4
  • 3
1 Solution
 
Carl WebsterCommented:
DO you have your Citrix servers in their own OU with the Group Policies being applied only to that OU?
0
 
fairringtonAuthor Commented:
No. I have each department in its own OU and then a group policy for that OU. I have a new OU I created called Laptops and made the group policy open with no changes.
0
 
Carl WebsterCommented:
That is not the way it is usually done.  Usually the Citrix servers are in their own OU with a Group Policy set with Loopback Mode set to Replace.  That way all users get the same settings regardless of which Citrix server tey log on to.
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
stas_zedCommented:
HI,

You should create a separate OU for laptops and put all you laptop AD Computer Accounts in that OU.  Then create a new GPO and link it to laptops OU, under Computer Configuration\Policies\Admin Templates\System\Group Policy set "User Group Policy loopback processing mode" policy to "Enabled" and Mode to "Replace" - that will ensure hat the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user. You can now set different User policies for users that will use laptops in that OU.
In Computer Configuration\Administrative Templates\System\User Profiles set "Delete cached copies of roaming profiles" policy to "Disabled" to prevent roaming profiles from being deleted.
The problem is you getting the same type of desktop on laptops because Roaming Profiles are enabled. All user settings are being downloaded and applied with the roaming profile to get user the same desktop look and feel on any computer in the domain, regardless of Citrix virtual/published desktops or physical workstations. To prevent that you can set "Only allow local user profiles: policy to "Enabled" in Computer Configuration\Administrative Templates\System\User Profiles. Just remember to give you laptop users access to their files by enabling Folder Redirection and Offline Files.
As a second option you can consider using Citrix Profile Management as opposed to Roaming Profiles - it works way better and will apply to your Citrix servers/desktops only.
0
 
fairringtonAuthor Commented:
Actually,

I'm having a problem still. It looks to be only one OU. When I make all the changes as described above, almost all of the laptops work like they are supposed to. With a couple of users in an OU called Executive, their desktop icons are showing up on the desktop of the laptop plus some of the other lockdown features in the GP are there. I looked over the GP and compared it with another one that is having no problems, but can't find anything. Any ideas?

Thanks
0
 
stas_zedCommented:
Try modeling the resultant policy for the problematic user and computer. There maybe some inheritance blocking or enforcing.
0
 
fairringtonAuthor Commented:
Thanks, I ran the modeling of this OU and one that is working and I do get errors in the one having problems. Here what it says:


Component Name Status
Group Policy Infrastructure Failed
Group Policy Infrastructure failed due to the error listed below.

The system cannot find the path specified.

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the application event log on the domain controller on which the simulation was run for events between 5/6/2011 9:06:44 AM and 5/6/2011 9:06:44 AM.
 


What should I look at? What path could they be talking about?

Thanks!
0
 
Carl WebsterCommented:
The problem path will probbably be the path to the GPOs.  There should be errors in the application and or system events logs on the problem child that will indicate the specific problem area(s).
0
 
stas_zedCommented:
Determine the failing GPO via Event Viewer. Delete this GPO and create a new one or restore from backup.
0
 
Carl WebsterCommented:
Or use gpotool from the resource kit to check the ACLs on all the GPOs.
0
 
fairringtonAuthor Commented:
Got it working. Thanks for all of your help. Just recreated a new policy and that did it.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now