You can. Just deny access to the file itself and it will filter the administrator. It is explained and documented on Jerold?s website. http://www.jsiinc.com <http://www.jsiinc.com/> . Cláudio Rodrigues Microsoft MVP Windows Technologies - Terminal Services http://www.terminal-services.net _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin Sent: October 8, 2004 5:45 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally There is no way that I know of to set permissions on the local GPO. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robinson, Nick Sent: Friday, 8 October 2004 2:01 p.m. To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally What if I were to use a local GPO? I can see where to create the policies but not exempt the admin in local. Nick -----Original Message----- From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] Sent: Friday, October 08, 2004 3:50 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally That's fine if you want those users to receive the same GPO restrictions when they log onto a local machine. The alternative to this is to move your Citrix servers into an OU, apply one of more Group Policy objects to the OU, and enable loopback processing for those GPO's (technically, you need to enable loopback only on the first GPO that will apply to the Citrix servers, but there's no harm in setting it on all of the GPO's that apply to the Citrix servers in case you add/remove/change priority). Then use permissions on the Group Policy objects to determine what users receive the GPOs' user settings. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of John Hardwick Sent: Friday, 8 October 2004 12:08 p.m. To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally Nick, You need to make a different OU to put the user?s in vs the admins? put like the admin in the top level and then the user?s below them in their own OU or something. Group policy objects can only be applied at the OU level. John Hardwick President nXio, LLC. 913-754-8120 x125 www.nxio.net _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robinson, Nick Sent: Friday, October 08, 2004 1:58 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally I should know this, I admit but when setting these Group Policies, how can I exclude the admin account or any other account. I?m setting the policy so the users can?t see the A,C,D drives but I still want the Admin to see them. Thanks Nick -----Original Message----- From: John Hardwick [mailto:jhardwick@xxxxxxxx] Sent: Wednesday, October 06, 2004 3:40 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Using the Citrix desktop......finally Nick, A couple of notes? I?m going to assume your on 2k or 2003 with group policy 1. There is a group policy that will let you hide server drives as well as prevent access to them. 2. Remove all of the new document types from the default user template directory to keep users from right clicking and creating new document types. 3. That leads to this one which is again removing the ability to save / run things from the desktop. Given traditional group policy options there is nothing to prevent a user from saving a txt file to the desktop per say and then renaming it to a cmd script and running it. You are able to bypass command prompt restrictions etc that way. There is however a group policy option to disable content menus in explorer. I am pretty sure there is a way with software restrictions under group policy to prohibit .cmd scripts from running from locations other than those you specify though. 4. If you remove the run command from the start menu you may notice some oddities with IE where a user types in ?http://URL? vs ?URL? (or other way around) and receives an error message. I haven?t tested this yet to see if things changed in 2K3. There was no work around last I knew. 5. I personally redirect all of the user?s profile parts to UNC shares? their desktop, start menu, etc. This allows for fewer problems when roaming and if the user for example has a file they save to their desktop on their ?desktop connection? it still allows for it to be available if they have a published app open on another server. There were my quick thoughts. I?ve always tried to push users more and more and more towards published apps mostly to help with load balancing but it also really helps with the security concerns. - John. John Hardwick President nXio, LLC. 913-754-8120 x125 www.nxio.net _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robinson, Nick Sent: Wednesday, October 06, 2004 3:32 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Using the Citrix desktop......finally I normally give my users applications to work with in Citrix and NOT the entire desktop since we only use Citrix for a couple of applications across a frame relay circuit, works great. But?.. we are spreading our wings. I have installed a frame relay circuit to the UK and now trusting domains. Now I think I?ve decided to let my new users have a desktop. In the past on this list, I?ve noticed a lot of conversation about what to let users see/have/use on desktops and I usually disregard these conversations since they really didn?t apply to me but now they do. Finally my questions: 1. in windows explorer, I want the users to see the mapped drives and their C$ drives but not the physical drives of server. How can I make this happen if possible? 2. What do I need to change/add to each desktop? Things that may have bitten you already and would recommend me changing or adding. Nick Robinson