Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Loopback GPO on Citrix Servers

Posted on 2012-08-13
Medium Priority
Last Modified: 2012-09-30

I will be creating Loopback group policy on citrix server's OU to prevent access to the control panel for users logging into citrix servers.

I would like to know do i need to create single policy for both loopback and users control panel settings OR should i be creating two policies, one for loopback settings only and second for control panel restriction settings?

Question by:tech2010
LVL 11

Expert Comment

by:Venugopal N
ID: 38287583
LVL 86

Expert Comment

ID: 38287619
I'd recommend using two; GPOs are easier to manage if you separate the User and Computer configuration settings. User and Computer settings have nothing in common, so it only makes things more complicated to understand if both are mixed in the same GPO.
So create one GPO with the Loopback processing (and other Computer configuration settings if applicable) and permissions for "Authenticated Users", and another GPO "User Restrictions" or whatever with your user restrictions, and use the normal security filtering to make sure the restrictions don't apply to administrators.
Depending on how you organize your GPOs, it might even be recommendable to create a dedicated "Group Policy Loopback Processing" GPO that only enables the loopback processing, and link this to the OUs with the machines that should have LBP enabled; that way, it's immediately clear that the the machine in question uses LBP.

Author Comment

ID: 38290678
Thanks oBdA, yes you are rite, it is easier and simple to have dedicated policy for lookback. However because i only want these restrictions to apply on one group of users (not everyone) so should i still be applying permissions for "authenticaated users" for loopback policy. For example i have AD group called "CitrixDenyControlPanel" and i only want these users to restrict control panel when logging on or launching published applications. Everyone else including normal users and administrator should be able to access as per now.

Can you please brief, how should apply these permission, where should apply and who to apply. Please also tell me about security filtering, how i will be using this.

Also, what is LBP? thanks
LVL 86

Expert Comment

ID: 38290806
The Loopback policy is a computer configuration, so it has to apply to the computer object in AD. This is a general setting that just enables the loopback processing, but does nothing more in terms of restrictions. In other words: the AD computer object of the Citrix server(s) needs to be able to apply this policy. Assuming your citrix servers are in a separate OU (they should be), link the Loopback GPO to this OU and leave the "Authenticated Users" in the Security Filtering (computer objects are "Authenticated Users" as well).
Then create your user restriction GPO, link it to the Citrix OU as well, and in the Security Filtering section of the GPMC (in the Scope tab), remove Authenticated Users and add the group "CitrixDenyControlPanel" instead.
Loopback processing of Group Policy
LVL 19

Accepted Solution

basraj earned 2000 total points
ID: 38290875
I think this should help:

1. GPO for Citrix Users OU-- Do not configure or leave it as default for "Prohibit control panel settings". So Citrix user who logs into any other workstation will have control panel access

2. Create GPO for servers OU-- say for those four CItrix servers -- User settings should say prohibit control panel access. ALso enable loop back and give it replace

3. Now on the security filter settings of the GPO, deny "apply group policies" to other group and apply only for CItrix users group.

I think obda refers LBp to loop back processing

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question