[THIN] Re: Published Desktop lockdown
- From: "Carl Stalhood" <cstalhood@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 17 Jul 2006 10:31:12 -0500
Every published desktop I do is managed using PNAgent.
1. Install Web Interface somewhere and create a PNAgent site. (ensure
that Pass-Through authentication is enabled and is the default
authentication)
2. Install PNAgent on the Citrix servers
A. Use Control Panel > Add/Remove Programs > Citrix MetaFrame
Presentation Server > Change
B. In the components selection screen check the box next to PNAgent
C. Type in the name of the Web Interface server when prompted and
enable the option for pass-through authentication.
D. After the change is complete, download the latest ICA Client and
install it on the Citrix server (note, if you install the latest client
without doing the previous steps, you will not be prompted to install
PNAgent. If you have already installed the newer client, find MetaFrame
Access Clients in the Add/Remove Programs list and click Change on that to
install PNAgent).
3. Configure group policy to hide Common Program Groups. User Config >
Admin Templates > Start Menu > Remove common program groups from Start Menu.
All shortcuts are now managed using published application permissions.
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Joe Shonk
Sent: Monday, July 17, 2006 9:45 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Published Desktop lockdown
PNAgent isn't exclusively for remote clients. It can be used for a
published desktop in which case PNAgent runs on the server... Configuration
of PNAgent (including remote clients) is done centrally.
Joe
On 7/17/06, Luchette, Jon <JLuchette@xxxxxxxxxxxxxxx> wrote:
we have been running citrix for almost 4 years now and have never used
PNAgent. Isn't there alot involved with pushing out the client, and
reconfiguring how the users connect? Almost all of my users come in through
NFuse/CSG... so they only have the web client today.
_______________________________________________
Jon Luchette
Emerson Hospital
Technology Specialist III
Work: 978-287-3369
Cell: 978-360-1379
jluchette@xxxxxxxxxxxxxxx
_______________________________________________
_____
From: thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk
Sent: Monday, July 17, 2006 10:11 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Published Desktop lockdown
Why not PNAgent? How are you removing Icons users no longer have access to?
We've done logon scripts/databases, etc and found PNAgent is the cleanest
and easiest to use.
Joe
On 7/17/06, Jeff Pitsch <jepitsch@xxxxxxxxx> wrote:
Use login scripts and copy shortcuts based on group membership.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
<http://jeffpitschconsulting.com/> http://jeffpitschconsulting.com
On 7/17/06, Luchette, Jon < <mailto:JLuchette@xxxxxxxxxxxxxxx>
JLuchette@xxxxxxxxxxxxxxx> wrote:
how do you control what applications/shortcuts are on that desktop for these
users?
_______________________________________________
Jon Luchette
Emerson Hospital
Technology Specialist III
Work: 978-287-3369
Cell: 978-360-1379
jluchette@xxxxxxxxxxxxxxx
_______________________________________________
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto: <mailto:thin-bounce@xxxxxxxxxxxxx>
thin-bounce@xxxxxxxxxxxxx ] On Behalf Of Bill Sorenson
Sent: Monday, July 17, 2006 9:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Published Desktop lockdown
We believe that this is the simplest answer and allows users to control
their own look and feel without risking anything. We use a folder under
their Home drive location to store the desktop.
We also mark any application shortcuts Read Only to help reduce the issue of
deleted shortcuts to critical applications. Works great.
Bill
Bill Sorenson
Focused Solutions Consulting, Inc.
www.ivdesk.com <http://www.ivdesk.com/>
612-869-1081
612-868-5786 cell
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto: <mailto:thin-bounce@xxxxxxxxxxxxx>
thin-bounce@xxxxxxxxxxxxx ] On Behalf Of Jeff Pitsch
Sent: Monday, July 17, 2006 8:01 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Published Desktop lockdown
If your allowing users to write to the desktop, then simply redirect the
desktop. The redirection does not have to be centralized, you can have a
redirected desktop for each user.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
<http://jeffpitschconsulting.com/> http://jeffpitschconsulting.com
On 7/17/06, Luchette, Jon < <mailto:JLuchette@xxxxxxxxxxxxxxx>
JLuchette@xxxxxxxxxxxxxxx> wrote:
I am running into the same issue and I think the only limiting factor with
this suggestion is that users will not have their "own" desktop so they
cannot save files to the desktop or make any other similar changes.
What is the best way to give the users their own desktop so they can save
files to it, and to control what is on the desktop based on group? With
normal folder redirection I don't think this is doable right???
_______________________________________________
Jon Luchette
Emerson Hospital
Technology Specialist III
Work: 978-287-3369
Cell: 978-360-1379
jluchette@xxxxxxxxxxxxxxx
_______________________________________________
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto: <mailto:thin-bounce@xxxxxxxxxxxxx>
thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Monday, July 17, 2006 8:52 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Published Desktop lockdown
An alternative is to have a centralized desktop with all the icons. Then
use Access based enumeration and NTFS permissions. This will only show the
appropriate icons to the appropriate users. Very simple and very effective.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 7/14/06, Angela Smith < <mailto:angela_smith9@xxxxxxxxxxx>
angela_smith9@xxxxxxxxxxx> wrote:
Greg
Will do some investigation in regards to pnagent. Will Flex provide that
lockdown capability? Do Citrix support flex? Ive heard some good things
about it but was a little concerned with the lack of support..
>From: "Greg Reese" < <mailto:gareese@xxxxxxxxx> gareese@xxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Re: Published Desktop lockdown
>Date: Sat, 15 Jul 2006 08:02:52 +1200
>
>use the pn agent. That is exactly what it is for. Put them on mandatory
>profiles or flxe profiles. Then you only have one thing to manage and they
>get the dynamic environment they need. The result is simple and clean if
>you do it right.
>
>Greg
>
>On 7/15/06, Angela Smith < angela_smith9@xxxxxxxxxxx> wrote:
>>
>>I was thinking that.. Only issue though is I want to be able to create
>>icons based on AD group membership via a login script. Wont setting the
>>desktop to Read only break this?
>>
>>I vaguely remember reading about people using the PNAgent to create
>>desktop
>>icons in a published desktop. Is this the best practice way of doing
>>this?
>>
>>
>> >From: "Jim Kenzig http://ThinHelp.com <http://thinhelp.com/> " <
<mailto:jkenzig@xxxxxxxxx> jkenzig@xxxxxxxxx >
>> >Reply-To: thin@xxxxxxxxxxxxx
>> >To: thin@xxxxxxxxxxxxx
>> >Subject: [THIN] Re: Published Desktop lockdown
>> >Date: Fri, 14 Jul 2006 05:22:24 -0700 (PDT)
>> >
>> >Just make the desktop folder in the profile read only.
>> > JK
>> >
>> >cstalhoodwrote:
>> > Have you considered redirecting the Desktop to the user's home
>> >directory?
>> >
>> >-----Original Message-----
>> >From: thin-bounce@xxxxxxxxxxxxx [mailto:
<mailto:thin-bounce@xxxxxxxxxxxxx> thin-bounce@xxxxxxxxxxxxx ] On
>> >Behalf Of
>> >Angela Smith
>> >Sent: Friday, July 14, 2006 6:43 AM
>> >To: thin@xxxxxxxxxxxxx
>> >Subject: [THIN] Published Desktop lockdown
>> >
>> >Hi
>> >
>> >Ive just built a new farm based on Windows 2003 and Citrix Metaframe
>> >Presentation Server 4. Ive published a desktop and am looking for the
>>best
>> >way to lockdown the "published desktop". Im using Group Policy and have
>>set
>> >several settings to lock the published desktop. I have an issue where I
>> >don?t want the users to see/access the servers local drives. Ive
>> >accomplished this via the following settings:
>> >
>> >User Configuration\Administrative Templates\windows components\windows
>> >explorer\Hide these specified drives in My Computer
>> >User Configuration\Administrative Templates\\windows components\windows
>> >explorer\Prevent access to drives from My Computer
>> >
>> >My issue is that the users can create folders on the desktop but cannot
>> >delete them (due to the above Group Policy settings). How can I easily
>> >prevent the users from being able to make any changes to the desktop?
>> >
>> >As a side note, how do people control what icons are created on the
>> >desktop?? I was thinking of using a script that copies icons to the
>>desktop
>> >based on AD group membership. Is there a better way to do this?
>> >
>> >Thanks
>> >
>> >_________________________________________________________________
>> >Research and compare new cars side by side at carpoint.com.au
<http://carpoint.com.au/>
>> >
>>
<http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%
2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2F
ai%5F833884&_t=54321&_r=hotmail_endtext&_m=EXT>
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2
Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fa
i%5F833884&_t=54321&_r=hotmail_endtext&_m=EXT
>> >
>> >************************************************
>> >For Archives, RSS, to Unsubscribe, Subscribe or
>> >set Digest or Vacation mode use the below link:
>> > <//www.freelists.org/list/thin>
//www.freelists.org/list/thin
>> >************************************************
>> >
>> >************************************************
>> >For Archives, RSS, to Unsubscribe, Subscribe or
>> >set Digest or Vacation mode use the below link:
>> > <//www.freelists.org/list/thin>
//www.freelists.org/list/thin
>> >************************************************
>> >
>>
>>_________________________________________________________________
>>Find lost friends & family online! Search for free.
>>
>>
<http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=389&refer
ral=HM_tagline&URL=http://ninemsn.schoolfriends.com.au>
http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=389&referr
al=HM_tagline&URL=http://ninemsn.schoolfriends.com.au
>>
>>************************************************
>>For Archives, RSS, to Unsubscribe, Subscribe or
>>set Digest or Vacation mode use the below link:
>> <//www.freelists.org/list/thin> //www.freelists.org/list/thin
>>************************************************
>>
_________________________________________________________________
Meet Sexy Singles today @ Lavalife - Click here
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2E
au%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3D
en%5FAU%26a%3D22740
<http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2
Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3
Den%5FAU%26a%3D22740&_t=751140432&_r=emailtagline_meetsexy_june&_m=EXT>
&_t=751140432&_r=emailtagline_meetsexy_june&_m=EXT
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
