compdigit44
asked on
XenApp 6 Block User Group Policy Setting from Published Apps
I'm setting up a new XenApp 6 farm. I'm only publishing applications andn ot group policy. I have noticed when you test users login they are processing my domain group policy settings.
1) How can I block users from process user group policy setting when lauching a published application?
2) I have a very small farm that only 100 users use so ever time a users access an application a local profile is created. How can I keep test local profiles in check?
1) How can I block users from process user group policy setting when lauching a published application?
2) I have a very small farm that only 100 users use so ever time a users access an application a local profile is created. How can I keep test local profiles in check?
ASKER
I already did that. But the user based group policy is still processing......
ASKER
Is there anyway to see which policy are being applied to a published application when a users access it?
Ah alternatively, if you have split the computer and user group policies, create a new RDS/Citrix users group and move all of your users into them.
On the actual group policy, you can put a deny on there for that group for the policy.
But, bear in mind, that in both of these examples, they will not get ANY of the policies (1st answer I gave) or ANY of the denied policies (2nd - this - answer)
So you may want to create a RDS/Citrix-specific group policy and only apply that to the OU/Users.
You have a number of options on the profile front: use roaming profiles so they're all in a single location, use mandatory profiles that don't get changed, use Citrix profile management (which can be thought of as a hybrid between mandatory and roaming/local) or a third party tool to do something similar.
Roaming are probably simpler at this stage.
On the actual group policy, you can put a deny on there for that group for the policy.
But, bear in mind, that in both of these examples, they will not get ANY of the policies (1st answer I gave) or ANY of the denied policies (2nd - this - answer)
So you may want to create a RDS/Citrix-specific group policy and only apply that to the OU/Users.
You have a number of options on the profile front: use roaming profiles so they're all in a single location, use mandatory profiles that don't get changed, use Citrix profile management (which can be thought of as a hybrid between mandatory and roaming/local) or a third party tool to do something similar.
Roaming are probably simpler at this stage.
Yes - publish a desktop temporarily for the user and then run RSOP.MSC to get a list of them.
Sorry - my fingers are outpacing my thoughts a bit, and I'm getting a bit click-happy on the submit.
To expand on that: When a user logs in via RDS/Citrix, even to a published application, they are still logging onto the server and will process any and all GPO's they normally would.
By publishing the desktop, you can interact with the server to get the resultant set of policies and see exactly which have applied.
If you block inheritance on a OU though, then only GPO's applied directly to that OU will be applied. ALL others from the higher levels (Domain, etc) will not.
To expand on that: When a user logs in via RDS/Citrix, even to a published application, they are still logging onto the server and will process any and all GPO's they normally would.
By publishing the desktop, you can interact with the server to get the resultant set of policies and see exactly which have applied.
If you block inheritance on a OU though, then only GPO's applied directly to that OU will be applied. ALL others from the higher levels (Domain, etc) will not.
Depending how many DC's you have, there may be a delay in everything updating. 90+minutes unless you force a refresh on the domain.
ASKER
I already block the inheritance to my citrix servers OU but this doesn't stop the user GP's from the domain for processing.
Regarding profiles. Is there any way for me to setup the profiles so they are temporary and will be distrory once the users loggs off. I don;t want a mandaory profiles though
Regarding profiles. Is there any way for me to setup the profiles so they are temporary and will be distrory once the users loggs off. I don;t want a mandaory profiles though
ASKER
Would you recommed using profile management 4.0? Can the profile local be controlled via a Xen Policy through deployment console?
If the policies aren't being blocked - I can only imagine that would be because they require the loopback processing to be applied, but that's usually machine profiles.
You could always do what I suggested and put an explicit deny on the GPO in the policy editor for the Citrix users group you created.
I would recommend the Citrix profile management tool. It's quite powerful and actually whilst a bit complex to initially understand, is fairly simple once you do.
You could always do what I suggested and put an explicit deny on the GPO in the policy editor for the Citrix users group you created.
I would recommend the Citrix profile management tool. It's quite powerful and actually whilst a bit complex to initially understand, is fairly simple once you do.
ASKER
Shouls I place the new profile share on a windows server or create a volume on my xenserver??
I would put it where you have the fastest storage.
ASKER
any tips for settings up profile management. Will a local gp work for the profile redirect?
ASKER
If there are setting on the users Active Directory accout that specifiy the TS profile local and there are also GP setting that specify another location which settings take affect??
From memory it'll be the group policy setting that takes precedence, as these are run as the user logs on.
ASKER
can I specifiy the profile management setting via a local group policy instead of a domain?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Move the RDS/Citrix server(s) into it.
From group policy administration, right-click on the new RDS/Citrix OU and choose to block inheritence.