Solved

XenApp 6 Block User Group Policy Setting from Published Apps

Posted on 2011-09-13
17
1,201 Views
Last Modified: 2012-05-12
I'm setting up a new XenApp 6 farm. I'm only publishing applications andn ot group policy. I have noticed when you test users login they are processing my domain group policy settings.

1) How can I block users from process user group policy setting when lauching a published application?

2) I have a very small farm that only 100 users use so ever time a users access an application a local profile is created. How can I keep test local profiles in check?
0
Comment
Question by:compdigit44
  • 9
  • 8
17 Comments
 
LVL 25

Expert Comment

by:Tony1044
ID: 36529853
Create a new OU in AD.

Move the RDS/Citrix server(s) into it.

From group policy administration, right-click on the new RDS/Citrix OU and choose to block inheritence.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36529879
I already did that. But the user based group policy is still processing......
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36529885
Is there anyway to see which policy are being applied to a published application when a users access it?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36529891
Ah alternatively, if you have split the computer and user group policies, create a new RDS/Citrix users group and move all of your users into them.

On the actual group policy, you can put a deny on there for that group for the policy.

But, bear in mind, that in both of these examples, they will not get ANY of the policies (1st answer I gave) or ANY of the denied policies (2nd - this - answer)

So you may want to create a RDS/Citrix-specific group policy and only apply that to the OU/Users.

You have a number of options on the profile front: use roaming profiles so they're all in a single location, use mandatory profiles that don't get changed, use Citrix profile management (which can be thought of as a hybrid between mandatory and roaming/local) or a third party tool to do something similar.

Roaming are probably simpler at this stage.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36529899
Yes - publish a desktop temporarily for the user and then run RSOP.MSC to get a list of them.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36529918
Sorry - my fingers are outpacing my thoughts a bit, and I'm getting a bit click-happy on the submit.

To expand on that: When a user logs in via RDS/Citrix, even to a published application, they are still logging onto the server and will process any and all GPO's they normally would.

By publishing the desktop, you can interact with the server to get the resultant set of policies and see exactly which have applied.

If you block inheritance on a OU though, then only GPO's applied directly to that OU will be applied. ALL others from the higher levels (Domain, etc) will not.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36529934
Depending how many DC's you have, there may be a delay in everything updating. 90+minutes unless you force a refresh on the domain.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36530342
I already block the inheritance to my citrix servers OU but this doesn't stop the user GP's from the domain for processing.

Regarding profiles. Is there any way for me to setup the profiles so they are temporary and will be distrory once the users loggs off.  I don;t want a mandaory profiles though
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 19

Author Comment

by:compdigit44
ID: 36531021
Would you recommed using profile management 4.0? Can the profile local be controlled via a Xen Policy through deployment console?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36531049
If the policies aren't being blocked - I can only imagine that would be because they require the loopback processing to be applied, but that's usually machine profiles.

You could always do what I suggested and put an explicit deny on the GPO in the policy editor for the Citrix users group you created.

I would recommend the Citrix profile management tool. It's quite powerful and actually whilst a bit complex to initially understand, is fairly simple once you do.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36531146
Shouls I place the new profile share on a windows server or create a volume on my xenserver??
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36531273
I would put it where you have the fastest storage.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36531281
any tips for settings up profile management. Will a local gp work for the profile redirect?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36535438
If there are setting on the users Active Directory accout that specifiy the TS profile local and there are also GP setting that specify another location which settings take affect??
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36535513
From memory it'll be the group policy setting that takes precedence, as these are run as the user logs on.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 36535708
can I specifiy the profile management setting via a local group policy instead of a domain?
0
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 36535802
I'd have to check for you there - I've never actually tried.

Bear in mind though, that you could still apply a domain based group policy at the OU level, even with inheritance blocked.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now