Loopback GPO on Citrix Servers

Posted on 2012-08-13
Last Modified: 2012-09-30

I will be creating Loopback group policy on citrix server's OU to prevent access to the control panel for users logging into citrix servers.

I would like to know do i need to create single policy for both loopback and users control panel settings OR should i be creating two policies, one for loopback settings only and second for control panel restriction settings?

Question by:tech2010
    LVL 11

    Expert Comment

    by:Venugopal N
    LVL 82

    Expert Comment

    I'd recommend using two; GPOs are easier to manage if you separate the User and Computer configuration settings. User and Computer settings have nothing in common, so it only makes things more complicated to understand if both are mixed in the same GPO.
    So create one GPO with the Loopback processing (and other Computer configuration settings if applicable) and permissions for "Authenticated Users", and another GPO "User Restrictions" or whatever with your user restrictions, and use the normal security filtering to make sure the restrictions don't apply to administrators.
    Depending on how you organize your GPOs, it might even be recommendable to create a dedicated "Group Policy Loopback Processing" GPO that only enables the loopback processing, and link this to the OUs with the machines that should have LBP enabled; that way, it's immediately clear that the the machine in question uses LBP.

    Author Comment

    Thanks oBdA, yes you are rite, it is easier and simple to have dedicated policy for lookback. However because i only want these restrictions to apply on one group of users (not everyone) so should i still be applying permissions for "authenticaated users" for loopback policy. For example i have AD group called "CitrixDenyControlPanel" and i only want these users to restrict control panel when logging on or launching published applications. Everyone else including normal users and administrator should be able to access as per now.

    Can you please brief, how should apply these permission, where should apply and who to apply. Please also tell me about security filtering, how i will be using this.

    Also, what is LBP? thanks
    LVL 82

    Expert Comment

    The Loopback policy is a computer configuration, so it has to apply to the computer object in AD. This is a general setting that just enables the loopback processing, but does nothing more in terms of restrictions. In other words: the AD computer object of the Citrix server(s) needs to be able to apply this policy. Assuming your citrix servers are in a separate OU (they should be), link the Loopback GPO to this OU and leave the "Authenticated Users" in the Security Filtering (computer objects are "Authenticated Users" as well).
    Then create your user restriction GPO, link it to the Citrix OU as well, and in the Security Filtering section of the GPMC (in the Scope tab), remove Authenticated Users and add the group "CitrixDenyControlPanel" instead.
    Loopback processing of Group Policy
    LVL 19

    Accepted Solution

    I think this should help:

    1. GPO for Citrix Users OU-- Do not configure or leave it as default for "Prohibit control panel settings". So Citrix user who logs into any other workstation will have control panel access

    2. Create GPO for servers OU-- say for those four CItrix servers -- User settings should say prohibit control panel access. ALso enable loop back and give it replace

    3. Now on the security filter settings of the GPO, deny "apply group policies" to other group and apply only for CItrix users group.

    I think obda refers LBp to loop back processing

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now