XenApp 6 Block User Group Policy Setting from Published Apps

I'm setting up a new XenApp 6 farm. I'm only publishing applications andn ot group policy. I have noticed when you test users login they are processing my domain group policy settings.

1) How can I block users from process user group policy setting when lauching a published application?

2) I have a very small farm that only 100 users use so ever time a users access an application a local profile is created. How can I keep test local profiles in check?
LVL 20
compdigit44Asked:
Who is Participating?
 
Tony JConnect With a Mentor Lead Technical ArchitectCommented:
I'd have to check for you there - I've never actually tried.

Bear in mind though, that you could still apply a domain based group policy at the OU level, even with inheritance blocked.
0
 
Tony JLead Technical ArchitectCommented:
Create a new OU in AD.

Move the RDS/Citrix server(s) into it.

From group policy administration, right-click on the new RDS/Citrix OU and choose to block inheritence.
0
 
compdigit44Author Commented:
I already did that. But the user based group policy is still processing......
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
compdigit44Author Commented:
Is there anyway to see which policy are being applied to a published application when a users access it?
0
 
Tony JLead Technical ArchitectCommented:
Ah alternatively, if you have split the computer and user group policies, create a new RDS/Citrix users group and move all of your users into them.

On the actual group policy, you can put a deny on there for that group for the policy.

But, bear in mind, that in both of these examples, they will not get ANY of the policies (1st answer I gave) or ANY of the denied policies (2nd - this - answer)

So you may want to create a RDS/Citrix-specific group policy and only apply that to the OU/Users.

You have a number of options on the profile front: use roaming profiles so they're all in a single location, use mandatory profiles that don't get changed, use Citrix profile management (which can be thought of as a hybrid between mandatory and roaming/local) or a third party tool to do something similar.

Roaming are probably simpler at this stage.
0
 
Tony JLead Technical ArchitectCommented:
Yes - publish a desktop temporarily for the user and then run RSOP.MSC to get a list of them.
0
 
Tony JLead Technical ArchitectCommented:
Sorry - my fingers are outpacing my thoughts a bit, and I'm getting a bit click-happy on the submit.

To expand on that: When a user logs in via RDS/Citrix, even to a published application, they are still logging onto the server and will process any and all GPO's they normally would.

By publishing the desktop, you can interact with the server to get the resultant set of policies and see exactly which have applied.

If you block inheritance on a OU though, then only GPO's applied directly to that OU will be applied. ALL others from the higher levels (Domain, etc) will not.
0
 
Tony JLead Technical ArchitectCommented:
Depending how many DC's you have, there may be a delay in everything updating. 90+minutes unless you force a refresh on the domain.
0
 
compdigit44Author Commented:
I already block the inheritance to my citrix servers OU but this doesn't stop the user GP's from the domain for processing.

Regarding profiles. Is there any way for me to setup the profiles so they are temporary and will be distrory once the users loggs off.  I don;t want a mandaory profiles though
0
 
compdigit44Author Commented:
Would you recommed using profile management 4.0? Can the profile local be controlled via a Xen Policy through deployment console?
0
 
Tony JLead Technical ArchitectCommented:
If the policies aren't being blocked - I can only imagine that would be because they require the loopback processing to be applied, but that's usually machine profiles.

You could always do what I suggested and put an explicit deny on the GPO in the policy editor for the Citrix users group you created.

I would recommend the Citrix profile management tool. It's quite powerful and actually whilst a bit complex to initially understand, is fairly simple once you do.
0
 
compdigit44Author Commented:
Shouls I place the new profile share on a windows server or create a volume on my xenserver??
0
 
Tony JLead Technical ArchitectCommented:
I would put it where you have the fastest storage.
0
 
compdigit44Author Commented:
any tips for settings up profile management. Will a local gp work for the profile redirect?
0
 
compdigit44Author Commented:
If there are setting on the users Active Directory accout that specifiy the TS profile local and there are also GP setting that specify another location which settings take affect??
0
 
Tony JLead Technical ArchitectCommented:
From memory it'll be the group policy setting that takes precedence, as these are run as the user logs on.
0
 
compdigit44Author Commented:
can I specifiy the profile management setting via a local group policy instead of a domain?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.