I have made just what you are talking about. and it works like a babe. 1. redirect the startmenu trough a gpo to the temp area in the users profile. this ensures a blank startmenu. 2. exclude the temp area in the users profile from beeing saved in the roaming profile. this ensures its cleaned for each logoff. 3. make a security group in AS for each programor program group you want in the startmenu. add members to this. 4. make a share on your fileserver called startmenu$ or something like that. 5. on that share make a subfolder names excaly as the security group name. and put the shortcut in there, or in a new subfolder called program, all depending where on the startmenu you want the shortcut. 6. in your logonscript enumerate the share, and check if the user is a memeber of each group wich has a folder. this ensures that you only get shortcuts for programs you are authorised for. 7 optional, also place file/folder securityon the applications, to make it even more secure. Here is the kix code i use in the logonscript: :Startmeny use y: "\\server\startmenu$" $ShortCuts="y:\" $StartMenu="%Temp%\startmeny" Cd $ShortCuts $FileName = Dir("*.*") While $FileName <> "" and @Error = 0 If Ingroup($FileName) > 0 SHELL '%comspec% /C ROBOCOPY "$ShortCuts\$FileName" "$StartMenu" /E /R:3 /W:10' EndIf If $Filename = "@userid" SHELL '%comspec% /C ROBOCOPY "$ShortCuts\$FileName" "$StartMenu" /E /R:3 /W:10' EndIf $FileName=Dir() ; Retrieve next file Loop use y: /delete Return -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Luchette, Jon Sent: Tuesday, March 28, 2006 4:02 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: Controlling Desktop Access Hello, I am trying to find the best way to control which users have access to which applications via the Published Desktop as I rebuild my Citrix farm. I am trying to use Group Policies to accomplish this, but need some direction/advice. Ideally I would have it setup by group, so that if a user was in Group A, somehow I would give him access to app A, B, and C via the Published Desktop, and if another user was in Group B, I would give him access to app D, E, and F, via the same desktop. How do you all currently handle this particular piece of administration? Thanks! _______________________________________________ Jon Luchette Emerson Hospital Technology Specialist III Work: 978-287-3369 Cell: 978-360-1379 jluchette@xxxxxxxxxxxxxxx _______________________________________________