[THIN] Re: Using the Citrix desktop......finally
- From: "Robinson, Nick" <NRobinson@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Fri, 8 Oct 2004 13:58:12 -0500
I should know this, I admit but when setting these Group Policies, how
can I exclude the admin account or any other account. I'm setting the
policy so the users can't see the A,C,D drives but I still want the
Admin to see them.
Thanks
Nick
-----Original Message-----
From: John Hardwick [mailto:jhardwick@xxxxxxxx]
Sent: Wednesday, October 06, 2004 3:40 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally
Nick,
A couple of notes... I'm going to assume your on 2k or 2003 with group
policy
1. There is a group policy that will let you hide server drives as
well as prevent access to them.
2. Remove all of the new document types from the default user
template directory to keep users from right clicking and creating new
document types.
3. That leads to this one which is again removing the ability to
save / run things from the desktop. Given traditional group policy
options there is nothing to prevent a user from saving a txt file to the
desktop per say and then renaming it to a cmd script and running it.
You are able to bypass command prompt restrictions etc that way. There
is however a group policy option to disable content menus in explorer.
I am pretty sure there is a way with software restrictions under group
policy to prohibit .cmd scripts from running from locations other than
those you specify though.
4. If you remove the run command from the start menu you may
notice some oddities with IE where a user types in "http://URL"; vs
"URL" (or other way around) and receives an error message. I haven't
tested this yet to see if things changed in 2K3. There was no work
around last I knew.
5. I personally redirect all of the user's profile parts to UNC
shares... their desktop, start menu, etc. This allows for fewer
problems when roaming and if the user for example has a file they save
to their desktop on their "desktop connection" it still allows for it to
be available if they have a published app open on another server.
There were my quick thoughts. I've always tried to push users more and
more and more towards published apps mostly to help with load balancing
but it also really helps with the security concerns.
- John.
John Hardwick
President
nXio, LLC.
913-754-8120 x125
www.nxio.net
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Robinson, Nick
Sent: Wednesday, October 06, 2004 3:32 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Using the Citrix desktop......finally
I normally give my users applications to work with in Citrix and NOT the
entire desktop since we only use Citrix for a couple of applications
across a frame relay circuit, works great. But..... we are spreading our
wings. I have installed a frame relay circuit to the UK and now trusting
domains. Now I think I've decided to let my new users have a desktop. In
the past on this list, I've noticed a lot of conversation about what to
let users see/have/use on desktops and I usually disregard these
conversations since they really didn't apply to me but now they do.
Finally my questions:
1. in windows explorer, I want the users to see
the mapped drives and their C$ drives but not the physical drives of
server. How can I make this happen if possible?
2. What do I need to change/add to each
desktop? Things that may have bitten you already and would recommend me
changing or adding.
Nick Robinson
Other related posts:
