[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1241
  • Last Modified:

XenApp 6 Block User Group Policy Setting from Published Apps

I'm setting up a new XenApp 6 farm. I'm only publishing applications andn ot group policy. I have noticed when you test users login they are processing my domain group policy settings.

1) How can I block users from process user group policy setting when lauching a published application?

2) I have a very small farm that only 100 users use so ever time a users access an application a local profile is created. How can I keep test local profiles in check?
0
compdigit44
Asked:
compdigit44
  • 9
  • 8
1 Solution
 
Tony JLead Technical ArchitectCommented:
Create a new OU in AD.

Move the RDS/Citrix server(s) into it.

From group policy administration, right-click on the new RDS/Citrix OU and choose to block inheritence.
0
 
compdigit44Author Commented:
I already did that. But the user based group policy is still processing......
0
 
compdigit44Author Commented:
Is there anyway to see which policy are being applied to a published application when a users access it?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
Tony JLead Technical ArchitectCommented:
Ah alternatively, if you have split the computer and user group policies, create a new RDS/Citrix users group and move all of your users into them.

On the actual group policy, you can put a deny on there for that group for the policy.

But, bear in mind, that in both of these examples, they will not get ANY of the policies (1st answer I gave) or ANY of the denied policies (2nd - this - answer)

So you may want to create a RDS/Citrix-specific group policy and only apply that to the OU/Users.

You have a number of options on the profile front: use roaming profiles so they're all in a single location, use mandatory profiles that don't get changed, use Citrix profile management (which can be thought of as a hybrid between mandatory and roaming/local) or a third party tool to do something similar.

Roaming are probably simpler at this stage.
0
 
Tony JLead Technical ArchitectCommented:
Yes - publish a desktop temporarily for the user and then run RSOP.MSC to get a list of them.
0
 
Tony JLead Technical ArchitectCommented:
Sorry - my fingers are outpacing my thoughts a bit, and I'm getting a bit click-happy on the submit.

To expand on that: When a user logs in via RDS/Citrix, even to a published application, they are still logging onto the server and will process any and all GPO's they normally would.

By publishing the desktop, you can interact with the server to get the resultant set of policies and see exactly which have applied.

If you block inheritance on a OU though, then only GPO's applied directly to that OU will be applied. ALL others from the higher levels (Domain, etc) will not.
0
 
Tony JLead Technical ArchitectCommented:
Depending how many DC's you have, there may be a delay in everything updating. 90+minutes unless you force a refresh on the domain.
0
 
compdigit44Author Commented:
I already block the inheritance to my citrix servers OU but this doesn't stop the user GP's from the domain for processing.

Regarding profiles. Is there any way for me to setup the profiles so they are temporary and will be distrory once the users loggs off.  I don;t want a mandaory profiles though
0
 
compdigit44Author Commented:
Would you recommed using profile management 4.0? Can the profile local be controlled via a Xen Policy through deployment console?
0
 
Tony JLead Technical ArchitectCommented:
If the policies aren't being blocked - I can only imagine that would be because they require the loopback processing to be applied, but that's usually machine profiles.

You could always do what I suggested and put an explicit deny on the GPO in the policy editor for the Citrix users group you created.

I would recommend the Citrix profile management tool. It's quite powerful and actually whilst a bit complex to initially understand, is fairly simple once you do.
0
 
compdigit44Author Commented:
Shouls I place the new profile share on a windows server or create a volume on my xenserver??
0
 
Tony JLead Technical ArchitectCommented:
I would put it where you have the fastest storage.
0
 
compdigit44Author Commented:
any tips for settings up profile management. Will a local gp work for the profile redirect?
0
 
compdigit44Author Commented:
If there are setting on the users Active Directory accout that specifiy the TS profile local and there are also GP setting that specify another location which settings take affect??
0
 
Tony JLead Technical ArchitectCommented:
From memory it'll be the group policy setting that takes precedence, as these are run as the user logs on.
0
 
compdigit44Author Commented:
can I specifiy the profile management setting via a local group policy instead of a domain?
0
 
Tony JLead Technical ArchitectCommented:
I'd have to check for you there - I've never actually tried.

Bear in mind though, that you could still apply a domain based group policy at the OU level, even with inheritance blocked.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now