Policy Priority

Policy Priority

You need to understand two different types of policy priority for MPS exam 223. The first deals with the way user policies override similar MetaFrame farm or server settings, while the second looks at the way user policies override other user policies assigned to the same user during logon.

MetaFrame Server Settings and User Policies

When user policies conflict with existing MetaFrame farm, server, or client settings, the user policies always take precedence, with two exceptions:

  • When encryption settings are defined in a user policy, they override MetaFrame farm, server, or client encryption settings only if they are stronger. For example, if the minimum accepted encryption level for a connection is set to 128 bit on a MetaFrame server, a user policy that has a rule setting this level to 56 bit is ignored.

  • If the MetaFrame farm, server, or client has defined a more restrictive shadowing configuration, it overrides a less- restrictive setting in a user policy.

Note

Similar precedence rules also apply to Microsoft Group Policy Objects. If a Microsoft Group Policy specifies a more restrictive configuration than a MetaFrame user policy, the Microsoft GPO typically takes precedence. Although specific details on these Microsoft policies are not required for the exam, be certain that you understand that this situation can arise and that unexpected MetaFrame user policy behavior may be due to Microsoft GPO settings that are also in effect.


MetaFrame User Policy Priorities

In MetaFrame, user policies are given a priority ranking starting at 1, the highest, and decreasing in priority as the value increases . The closer the priority number to 1, the higher the ranking compared to other policies. Figure 7.3 shows four policies defined for the server farm, ranked from 1 through 4. If a user connecting to a MetaFrame server is assigned more than one of these policies, they are applied in order starting from 4 and working up to 1. In Figure 7.3, the Order Desk Policy is ranked lowest , and the Low Bandwidth Policy is ranked highest.

Figure 7.3. When a user is assigned multiple policies, the rules are applied based on the policy's ranking, starting at the highest number and counting down to number 1.

If a user is assigned the Order Desk Policy, All Users Policy, and Low Bandwidth Policy, the corresponding rules for each policy would be applied in order of ranking, with the rules in the Low Bandwidth Policy having the final say in how the client session may be configured.

As we already mentioned, a specific policy rule can be set to one of three states:

  • Not Configured This rule is ignored by the connecting user. If a lower-priority policy has this rule assigned a different state, the lower-priority rule is used.

  • Disabled The specific rule is disabled. This setting overrides any instance of the rule that has been enabled in lower-priority policies. This rule remains disabled unless overridden by a higher rule that enables this setting.

  • Enabled When enabled, the properties for the rule are applied to the connecting user, unless disabled by a higher-priority rule.

Whether a policy is enabled or not is best described with a demonstration. Assume that in the four policies shown in Figure 7.3, each has the rules Turn Off Menu Animation and Turn Off Desktop Wallpaper defined, as shown in Table 7.1.

Table 7.1. MetaFrame Policy Priority Example

Rank

Policy

Rule/State

 
   

Turn off menu animation

Turn off desktop wallpaper

1

Low Bandwidth Policy

Enabled

Enabled

2

All Users Policy

Not Configured

Not Configured

3

Customer Service Policy

Disabled

Not Configured

4

Order Desk Policy

Enabled

Enabled


The final state for these rules depends on what policies are applied when a user logs on. If the Low Bandwidth Policy is applied, both of these rules are enabled because this is the highest priority rule. If a user belongs to both Order Desk Policy and Customer Service Policy, the two rules have the states Disabled and Enabled, respectively. The reason is that Customer Service Policy, with its higher ranking, takes precedence over Order Desk Policy, forcing the Turn Off Menu Animation setting to Disabled.

Alert

Unlike stronger encryption and more restrictive shadowing settings that take priority when defined for the MetaFrame farm, server, or client, within user policies, shadowing and encryption settings are affected by policy order. If a higher-level policy defines a weaker encryption level, it overrides a stronger encryption level that may have been defined in a lower-ranked policy. Understanding this subtle difference is an important part of being properly prepared for the exam.


When a new policy is created, it is automatically assigned the lowest available priority. You can then modify the policy's priority either by highlighting the policy and selecting the up or down arrows located on the Management Console toolbar, or by right-clicking on the policy and selecting the appropriate arrow from the Priority menu.

Note

Pay special attention to any rule that is being disabled. In most cases, disabling a rule simply means that if it was enabled in a lower-ranked policy, it is now effectively not configured, meaning it has no effect. It does not mean that the opposite setting is now enabled.

A good example is the Turn Off Desktop Wallpaper rule. When this rule is enabled, you force the desktop wallpaper to be turned off. But disabling the rule simply cancels out any instance in which it may have been enabled in a lower rule. Hence, the desktop wallpaper is no longer forced to be turned off. It does not mean that the wallpaper is now going to be forced to be turned on.

This subtle difference is a source of confusion for many administrators when they first become involved in working with MetaFrame user policies.


Policy Exceptions

The ability to prioritize MetaFrame user policies makes it simple to create special exception policies that grant (or deny) access to certain features. For example, you may have a policy that enables server-to-client content redirection to all MetaFrame users, but a special exception rule that has been created and assigned a higher ranking specifically disables this rule when users belong to a group restricting such access.

Another example involves restricting access to client printers for all users in the organization except for those users who belong to a special printer access group. Creating a special policy specifically to override a lower-ranked policy setting is commonly referred to as creating a policy exception.

When asked to define an exception to a policy, you're simply being asked to create a policy that will counteract something that has already been defined for a more general group of users.



Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 199

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net