Citrix Policies/Lockdown

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-05-12
We are in the process of testing 2 new XenAPP servers (XenAPP 6.5). As a base install, Domain Users can log onto a published Desktop,. WIth this access they can Control Panel, Administrative tools to the server. In XenAPP there is a location for Polices. Does this override GPO. Which should be used? We will be creating a group called thin clients and all of the users in that group will be accessing XenApp server via thin client. For these logins the user is to have no access to Control Panel, should have no access to the administrative tools of the server or network configuration, hard drives of the server should be hidden. Dirve mappings providd via logon scripts for file storage etc.

Where is the best area to set these options - GPO or CItrix Policies? Is there a template available that does most of these things that can be tweaked for our network requirements
Question by:kingsville
  • 4
LVL 15

Expert Comment

ID: 36981053
Where you can set a policy for RDS vs. Citrix, always set via Citrix.  For example, you can configure timeout settings via RDS policies and XenApp policies.  Not only is that best from a consistency standpoint, but it also it's best when troubleshooting.  

To take it one step further, make sure that you always configure your Citrix policies via the same mechanism: AppCenter vs. AD Group Policy Management Console.  These two mechanisms keep the policies in different places (IMA Data Store vs. AD GPO).

Author Comment

ID: 36987509
I am locking down via Group Policies with the assist of WTS.Labs - Terminal Services : From A to Z from Claudio Rodriques. The document is a couple years old and does not cover Windows 2008 completely. Attached is a screenshot from a thin client connection to XenAPP server. How  can I remove the link to Adminsitratve tools shown in the shot as I do not want users to access?

Also in an effort to control profile sizes, I attempted to redirect users desktop to a shared folder on file server as well as another share pointing to a common start menu - no files write to the shares even when share persmissions set at FC and required groups are set to FC. Something specific required in Windows 2008 for one server to write to a share on another folder?  

Author Comment

ID: 36999480
I have worked out all the lockdown settings that I want in place as a starting point with the exception of needing to remove the Administrative Tools located on the right side of the above screenshot. Does anyone know how to remove this from the user sessions?

Accepted Solution

kingsville earned 0 total points
ID: 37014073
I found the answer myself - on the XenAPP servers, I made a copy of the Programs group and called if Programs - Admin and then modified the original group and removed Administrative Tools from the list of Programs. When a user logs on they now do not see it as a listed option and the Administrative Tools to the right that I was trying to eliminate now says Empty. If I log in as Admin, I can see the Programs - Admin folder and still access all the tools

Author Closing Comment

ID: 37043463
No one else offered anything and I worked out a solution on my own

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question