CTX113858 - Group Policy Object (GPO) Settings May Not Get Applied for Streamed Applications This document was published at: http://support.citrix.com/article/CTX113858 Document ID: *CTX113858*, Created on: Jul 25, 2007, Updated: Jul 25, 2007 Products: Citrix Presentation Server 4.5 for Windows Server 2003, Citrix Presentation Server 4.5 for Windows Server 2003 x64 Edition *Symptoms* Group Policy Object (GPO) settings may not get applied for streamed applications. Example: The "default Save to" directory. Setting a "default Save to" directory for an application and configuring that directory to be outside of the isolation environment. Normally, a GPO can be set to accomplish this goal by adjusting the registry so that the option is set when the application is run. With streamed applications, this policy may not get applied. *Cause* Application specific settings are most often written to the registry during installation/profiling which means that these settings are part of the profiled package. This problem typically occurs in an environment where the desktops are locked down with strict GPOs. When streaming applications, all GPOs (written to application space or written to HKEY_LOCAL_MACHINE\Software\Microsoft\Policies) get set each time the user logs on. The registry settings are not applied to the isolation space registry and because the application wrote to the registry at installation, the InstallRoot is looked at and not the local machine (physical registry). The result is that the global set of the GPO is not seen inside isolation and the application is not able to see the registry space. *Resolution* Use a pre-launch script that writes to the registry and is configured to run inside of isolation. By running inside of isolation, the scripts' view of the system is the same as that of the application you are going to execute and anything that the script writes to the registry is written to the top layer of the isolation space (UserRoot). The script writes to the registry as if it were writing to the "real" registry, but the activity of the script is intercepted by the isolation system and becomes part of the per-user isolation space. *Note*: Pre-launch scripts are run before the FIRST application of a profile is executed and post-exit scripts are executed after the FINAL application of a profile terminates. Note that the .REG file also needs to be a "script" so that it gets included in the profile. That "script" should be marked disabled and should be listed BEFORE the script that is reg.exe. In Presentation Server 4.5, the scripts are extracted from the server image just before execution, so the order of inclusion in the profiler matters. The same dependencies are needed if a script is an executable that happens to use a .DLL. The DLL has to be included with the profile and to accomplish that, the DLL is defined as a "disabled" script. Since this script runs each time (before) the application is launched, the "policy" is written to the user space each time the application is run and it overwrites things that the application/user may have changed the last time the application was executed. This may be the desired behavior. If instead you want the policy to only make an impact on the first execution, you need to add a flag to the registry or file system to note that the script has already run and should do nothing. In this case, a .BAT or .CMD file would be the better choice for the "script." -- Jim Kenzig Microsoft MVP - Terminal Services http://www.thinhelp.com Citrix Technology Professional Provision Networks VIP CEO The Kenzig Group http://www.kenzig.com Blog: http://www.techblink.com