BEST PRACTICES

Implementing Different Group Policies for Users When They Log On to a Terminal Server

Since the Terminal Servers are special-use computers within the environment, users should have different settings and configurations applied to their environment when they log on to the Citrix Presentation Servers than when they log on to a local workstation or laptop. The processes for achieving this are listed next .

1. Create a separate OU in Active Directory for the Citrix Presentation Servers.

2. Move the Citrix Presentation Servers to the newly created OU.

3. Create and apply a new Group Policy to the Citrix Presentation Server OU.

4. Assign appropriate permissions to the Group Policy.

5. Enable loopback processing within the Group Policy Object.

Creating a Separate OU in Active Directory for the Citrix Presentation Servers

Follow these steps, as illustrated in Figure 15-8, to create a separate OU in Active Directory:

1. Choose StartProgramsAdministrative ToolsActive Directory Users And Computers.

2. Select ActionNewOrganizational Unit.

3. Enter the name for the OU that will house the Citrix Presentation Servers. Click OK.

Figure 15-8: Creating a separate OU for Citrix Presentation Servers

Creating and Applying a New Group Policy to the Citrix Presentation Server OU

Figure 15-9 shows the creation of a new Group Policy. Follow these steps to create a new Group Policy:

1. Right-click the OU and select Properties.

2. Choose the Group Policy tab.

3. Click New.

4. Enter an appropriate name for the Group Policy.

Figure 15-9: Creating a new Group Policy

Assigning Appropriate Permissions to the Group Policy

Figures 15-10 and 15-11 show the application and denial of Group Policies by group. The steps to apply or remove a Group Policy are

1. Select the Group Policy Object and click Properties.

2. Select the Security tab.

3. Add and remove appropriate users and groups (deny the Apply Group Policy attribute to any user or group to which the Group Policies should not apply).

Figure 15-10: Applying the Group Policy to the Citrix users group

Figure 15-11: Denying the Group Policy to the Domain Admins group

Enabling Loopback Processing Within the Group Policy Object

Figures 15-12 and 15-13 show how to enforce Group Policy Loopback Processing and how to change the loopback mode setting to Replace. The steps are as follows :

1. Select the Group Policy Object and click Edit.

2. Choose Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder and double-click to select the User Group Policy loopback processing mode.

3. Check the radio button next to Enabled.

4. Set the mode to Replace or Merge, depending on the user environment.

Figure 15-12: Enabling Group Policy loopback processing

Figure 15-13: Setting loopback mode to Replace

Note

"Replace" means that the User Configuration settings defined in the Group Policy Object for this OU replace the User Configuration settings normally applied to the user through Group Policy. "Merge," on the other hand, means that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.

Limiting the Profile File Size

Profiles tend to grow in size over time. This is largely due to users saving documents in their My Documents folder, dragging items onto their desktop, or saving information into the Application Data folders contained in the profile. To keep the profile sizes minimized for our case study, CME will configure network shares to store profiles, and configure the preceding folders for redirection to the user's home directory using Group Policy. CME will store terminal server profiles in a share called TS_Profiles. This helps to distinguish them from normal profiles used on client operating systems. These normal profiles will be stored in a share called NT_Profiles.

The redirection of Application Data, Desktop, and My Document folders is configured within the existing Group Policy assigned to the Presentation Server's OU as shown in Figure 15-14. To configure redirection, follow these steps:

1. Edit the existing Citrix Presentation Servers policy from within the Group Policy Object Editor.

2. Open User ConfigurationWindows SettingsFolder Redirection.

3. Right-click Application Data and select Properties.

4. The setting field option should be set to BasicRedirect everyone's folder to the same location.

5. The Target Folder Location option should be set to Create A Folder For Each User Under The Root Path .

6. Set the root path to the location of the user's home directory (\\FileServer\Home).

7. Follow steps 36 for Desktop and My Documents.

Figure 15-14: Settings for Application Data redirection

Locking Down the Desktop

The amount of control that users are given over their desktop environments varies from organization to organization. Securing the desktop can be accomplished in many ways, including

• – Using Group Policy to redirect the Desktop and Start menu folders to a common read-only folder on a network share and to limit the functionality of the Windows Explorer shell.

• – Using a third-party utility such as RES PowerFuse, triCerat's Simplify Lockdown, or AppSense Application Manager for desktop lockdown and folder redirection.

• – Using Group Policy to completely remove Desktop, Start menu, and Windows Explorer shell functionality and using the Citrix Program Neighborhood Agent client executed from the Presentation Server desktop.

In reference to the CME case study CME will use one of the third-party utilities to assist with implementing a locked-down desktop environment and use Group Policy to assist with redirecting critical folders (such as My Documents, Application Data, and Desktop) to the user's home directory.

Eliminating Inappropriate Application Features

Many common applications, such as the Microsoft Office 2003 Suite, have features that are not appropriate for an on-demand access environment. An example of this type of feature is the Office Assistant that represents the help interface in the Office 2003 product line. The Office Assistant utilizes unnecessary resources and, because of the animated graphic, does not perform well in a Citrix Presentation Server environment. Many common applications have compatible template files for Group Policy. The Office 2003 template file is office11.adm. These template files can be added to the Group Policy by right-clicking one of the Administrative Template areas in the Group Policy Management Console and clicking Add/Remove Templates. By clicking the Add button, an administrator can browse to the appropriate template file and add it to the Group Policy Management Console. The template files are located in the %systemroot%\inf directory if the application has been installed on that server; otherwise , they can be copied from the product media.

Another common area of concern is applications that display splash screens at initialization. Many of these, such as Net Meeting and Internet Explorer, can be controlled via Group Policies. Several other applications have command-line switches that enable an administrator to publish the application to users with these graphics suppressed.

Custom .adm files can be created to add additional policies as well as custom Registry settings through the Group Policy interface. For more information on writing custom .adm files, please refer to Microsoft support article number 323639.

Limiting Access to Local Resources

Local resource access can be controlled through two methods . The first method is through the use of the Citrix Connection Configuration console, accessed by editing the properties of the ica-tcp or ica-ipx connection. The problem with this tool is that it has to be configured on each server individually and applies to all users logging on to the server.

The better method is to use Citrix User Policies. An example of allowing access to local drives follows. A policy is configured for denying drive access as well as any other custom settings that are needed for different local LPT or COM port access. The following steps are required to set up different local drive access rules per user or group:

1. Open the Citrix Management Console and log on as a full Citrix administrator.

2. Right-click Policies and select Create Policy.

   

3. Enter a descriptive policy name and click OK.

4. Double-click the new policy to display the properties.

5. Open the Client Devices section.

6. Click Client Drive Mapping.

7. Click the radio button for Rule Enabled.

8. Click the selection box next to the drives that should not be available to the user or group.

   

9. Click Connect Client Drives.

10. Click the radio button for Rule Enabled.

11. Click the radio button for Connect Client Drives at Logon.

12. Go back to the Client Devices section and enable access to other local resources such as COM and LPT ports and printers.

13. Click OK to close the Allow Drive Access Properties dialog.

    

14. Right-click the policy and click Assign Users.

    

15. Add the users and groups to which this policy will apply.

    

16. Click OK to close the dialog box and apply the policy to those users.

Controlling Application Availability

Application availability is controlled using Citrix published applications. When published applications are created via the Citrix Management Console (CMC), the administrator grants access to selected groups or users. All of the CME users will get their applications in accordance with published application group membership.

Change Control

We recommend testing all changes and tracking any modifications to policies and profiles through a revision control system. This can be as simple as keeping a written change log or as complex as using revision control software such as Component Software, Inc.'s CS-RCS (http://www.componentsoftware.com/products/rcs/) or Merant's PVCS (http://www. merant .com/Products/ECM/tracker/home.asp). Whatever the case, the important thing is that all personnel involved with administering the system or making changes follow the same change control procedure and have easy access to tracking systems.