Jump to content


Photo

Hiding Citrix and Admin tools from users

Started by Kevin Goosic , 27 September 2012 - 01:11 AM
4 replies to this topic

Kevin Goosic Members

Kevin Goosic
  • 14 posts

Posted 27 September 2012 - 01:11 AM

Hello;
I recently installed a XenApp 6.5 server (With Microsoft TS or rather RDS server as well)

I have been trying Hide the Admin tools / programs and the Citrix Admin tools from users when they access via Web Interface 4.5. And prevent them from shutting the server down.

I have tried several of the various suggestions gleamed from internet searches with out much luck.

I'm hoping that someone here might be able to provide or point me to a clear answer on how to do this.

Any help would be appreciated.

K

Edited by: kgoosic01 on Sep 27, 2012 1:59 PM

Edited by: kgoosic01 on Sep 28, 2012 3:29 PM



Mats Hofvander Members

Mats Hofvander
  • 560 posts

Posted 27 September 2012 - 06:51 AM

Hi
In the thread below you will find policy templates that you can import to a group policy to hide the Administrative Tools folder in start menu for the users that the policy applies to.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/4a129b22-84c5-4bc6-8fb5-f2291f227cc0

This document describes which policy to enable to prevent access to shutdown etc.
http://scorpiotek.com/blog/?p=626

Good luck
/Mats



Kevin Goosic Members

Kevin Goosic
  • 14 posts

Posted 30 September 2012 - 09:06 AM

Mats,
Thank you for your reply.
I have been working / testing this over the past couple of days with your suggestions. With some success, thanks for the feed back

However I was wondering about the Enhanced Desktop Experience.

I have installed the feature using the scripts in PowerShell as described in Various articles on the net.

I beleive I have installed / configured everything correctly up to a point. I was hoping someone here could confirm my settings and my be provide a bit of additional guidance. Especially about the look back policy part.

Process / current config

A.
OU Setup

in ADU&C > Right click on Domain (xxx.net > New Organizational Unit > Created 2 new OU`s
- XenApp Server
- Added my citrix server >META02
- XenApp Users
- Created a new security group name Xen App Users
- Added Domain Users to this new group.
B.
- Installed the Enhanced Desktop Experience.
- Confirmed Presence of the following polices (Group Policy Management > Group Policy Objects)
- CtxPersonlizableUser
- Ctx RestricedComputer
- CtxRestricedUser
- Ctx StartMenuTaskbarUser
- I linked all of these to my XenApp OU (R click XenApp Server OU > Link an Existing GPO..> Selected Policy Object)

C.
The questions I have.
- Did I set my OU`s up correctly?
- According to the documentation I need to do some king of `Loopback` configuration.
- This loopback config has me kind of confused? How do I do it and what do I execute it on?
- Example
- I tried to do it on my XenApp Server OU by doing the following:
- Right Click on the XenApp Server > Group Policy Modeling Wizard > and on the second screen I don't know
What to select? Do I select the defaults? There are two parts:
- User Information
- Container : OU=XenApp Server, DC= xxx,DC=net
- User: (Blank)
- Computer Information
- Container : OU=XenApp Server, DC= xxx,DC=net
- User: (Blank)

- Should I select the Defaults? Or under User Information do I need to select my XenApp Users OU in
the User sub section?

Any help would be appreciated.

Thank you
K

Edited by: kgoosic01 on 2012/09/30 18:06

Edited by: kgoosic01 on 2012/09/30 18:27

Attached Files



Mats Hofvander Members

Mats Hofvander
  • 560 posts

Posted 01 October 2012 - 06:34 AM

Hi
The important thing here to be able to make sure that a GPO is applied only to the XenApp servers is that you create a separate OU just for the XenApp servers and place the servers there. I don't really see a need for a XenApp users OU but it's not really wrong that's more up to you how you wan't to organize your OUs in active directory.

To apply a GPO to users only when they log on to the XenApp servers you create one or more GPOs and link them to the OU where the XenApp servers are located.
Since this OU does not contain any user accounts the GPOs that are linked to this OU needs to be configured to use a setting called group policy loopback processing otherwise none of the settings in the user part of the GPO will be applied only the computer settings.
You will find the setting User Group Policy Loopback Processing Mode in each GPO under Computer Configuration\Policies\Administrative Templates\System\Group Policy. Remember that you need to configure this setting in all GPOs where you want to apply user settings on the XenApp servers.
You will find more information about loopback processing in the links below.

http://social.technet.microsoft.com/wiki/contents/articles/windows-server-understand-user-group-policy-loopback-processing-mode.aspx

http://4sysops.com/archives/group-policy-loopback-processing-part-1-usage-scenarios/

http://4sysops.com/archives/group-policy-loopback-processing-part-2-replace-mode-and-merge-mode/

Hope this helps

/Mats



Kevin Goosic Members

Kevin Goosic
  • 14 posts

Posted 03 October 2012 - 02:24 AM

Thanks Mats,
Your explanation and posted links were helpful.
I the end I was able to sort out the configuration.
Thank you again.
K