[THIN] KB: CTX113858 - Group Policy Object (GPO) Settings May Not Get Applied for Streamed Applications
- From: "Jim Kenzig ThinHelp.com" <jkenzig@xxxxxxxxx>
- To: THIN <thin@xxxxxxxxxxxxx>
- Date: Thu, 26 Jul 2007 11:51:13 -0400
CTX113858 - Group Policy Object (GPO) Settings May Not Get Applied for
Streamed Applications
This document was published at: http://support.citrix.com/article/CTX113858
Document ID: *CTX113858*, Created on: Jul 25, 2007, Updated: Jul 25, 2007
Products: Citrix Presentation Server 4.5 for Windows Server 2003, Citrix
Presentation Server 4.5 for Windows Server 2003 x64 Edition
*Symptoms*
Group Policy Object (GPO) settings may not get applied for streamed
applications.
Example: The "default Save to" directory.
Setting a "default Save to" directory for an application and configuring
that directory to be outside of the isolation environment. Normally, a GPO
can be set to accomplish this goal by adjusting the registry so that the
option is set when the application is run. With streamed applications, this
policy may not get applied.
*Cause*
Application specific settings are most often written to the registry during
installation/profiling which means that these settings are part of the
profiled package. This problem typically occurs in an environment where the
desktops are locked down with strict GPOs. When streaming applications, all
GPOs (written to application space or written to
HKEY_LOCAL_MACHINE\Software\Microsoft\Policies) get set each time the user
logs on. The registry settings are not applied to the isolation space
registry and because the application wrote to the registry at installation,
the InstallRoot is looked at and not the local machine (physical registry).
The result is that the global set of the GPO is not seen inside isolation
and the application is not able to see the registry space.
*Resolution*
Use a pre-launch script that writes to the registry and is configured to run
inside of isolation. By running inside of isolation, the scripts' view of
the system is the same as that of the application you are going to execute
and anything that the script writes to the registry is written to the top
layer of the isolation space (UserRoot).
The script writes to the registry as if it were writing to the "real"
registry, but the activity of the script is intercepted by the isolation
system and becomes part of the per-user isolation space.
*Note*: Pre-launch scripts are run before the FIRST application of a profile
is executed and post-exit scripts are executed after the FINAL application
of a profile terminates.
Note that the .REG file also needs to be a "script" so that it gets included
in the profile. That "script" should be marked disabled and should be listed
BEFORE the script that is reg.exe. In Presentation Server 4.5, the scripts
are extracted from the server image just before execution, so the order of
inclusion in the profiler matters. The same dependencies are needed if a
script is an executable that happens to use a .DLL. The DLL has to be
included with the profile and to accomplish that, the DLL is defined as a
"disabled" script.
Since this script runs each time (before) the application is launched, the
"policy" is written to the user space each time the application is run and
it overwrites things that the application/user may have changed the last
time the application was executed. This may be the desired behavior. If
instead you want the policy to only make an impact on the first execution,
you need to add a flag to the registry or file system to note that the
script has already run and should do nothing. In this case, a .BAT or .CMD
file would be the better choice for the "script."
--
Jim Kenzig
Microsoft MVP - Terminal Services
http://www.thinhelp.com
Citrix Technology Professional
Provision Networks VIP
CEO The Kenzig Group
http://www.kenzig.com
Blog: http://www.techblink.com
Other related posts:
- » [THIN] KB: CTX113858 - Group Policy Object (GPO) Settings May Not Get Applied for Streamed Applications
