Citrix Policies/Lockdown

Posted on 2011-10-17
Last Modified: 2012-05-12
We are in the process of testing 2 new XenAPP servers (XenAPP 6.5). As a base install, Domain Users can log onto a published Desktop,. WIth this access they can Control Panel, Administrative tools to the server. In XenAPP there is a location for Polices. Does this override GPO. Which should be used? We will be creating a group called thin clients and all of the users in that group will be accessing XenApp server via thin client. For these logins the user is to have no access to Control Panel, should have no access to the administrative tools of the server or network configuration, hard drives of the server should be hidden. Dirve mappings providd via logon scripts for file storage etc.

Where is the best area to set these options - GPO or CItrix Policies? Is there a template available that does most of these things that can be tweaked for our network requirements
Question by:kingsville
    LVL 14

    Expert Comment

    Where you can set a policy for RDS vs. Citrix, always set via Citrix.  For example, you can configure timeout settings via RDS policies and XenApp policies.  Not only is that best from a consistency standpoint, but it also it's best when troubleshooting.  

    To take it one step further, make sure that you always configure your Citrix policies via the same mechanism: AppCenter vs. AD Group Policy Management Console.  These two mechanisms keep the policies in different places (IMA Data Store vs. AD GPO).

    Author Comment

    I am locking down via Group Policies with the assist of WTS.Labs - Terminal Services : From A to Z from Claudio Rodriques. The document is a couple years old and does not cover Windows 2008 completely. Attached is a screenshot from a thin client connection to XenAPP server. How  can I remove the link to Adminsitratve tools shown in the shot as I do not want users to access?

    Also in an effort to control profile sizes, I attempted to redirect users desktop to a shared folder on file server as well as another share pointing to a common start menu - no files write to the shares even when share persmissions set at FC and required groups are set to FC. Something specific required in Windows 2008 for one server to write to a share on another folder?  

    Author Comment

    I have worked out all the lockdown settings that I want in place as a starting point with the exception of needing to remove the Administrative Tools located on the right side of the above screenshot. Does anyone know how to remove this from the user sessions?

    Accepted Solution

    I found the answer myself - on the XenAPP servers, I made a copy of the Programs group and called if Programs - Admin and then modified the original group and removed Administrative Tools from the list of Programs. When a user logs on they now do not see it as a listed option and the Administrative Tools to the right that I was trying to eliminate now says Empty. If I log in as Admin, I can see the Programs - Admin folder and still access all the tools

    Author Closing Comment

    No one else offered anything and I worked out a solution on my own

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    #Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now