[THIN] Re: Using the Citrix desktop......finally

  • From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 8 Oct 2004 17:00:02 -0700

Thanks everyone for the head up. Now I remember seeing this before. 


  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Hathaway
Sent: Friday, 8 October 2004 4:00 p.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally


As an FYI - MS does have a technote on this kind of setup for both Windows
2003, and Windows 2000 TS servers. Rick's method posted here is much simpler
by far than the steps the MS KB's make you go through. But just in case
folks are curious:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;325351 = Q325351 -
how to apply local policies to all users except for administrators on
Windows 2003 servers in a workgroup.

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655 = Q293655 -
"............................." Windows 2000 servers in a workgroup.

 
HTH
 
J

  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Rick Mack
Sent: Friday, October 08, 2004 2:53 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally


Hi Jeff,
 
You can set file access permissions so that a local administrator doesn't
have r/x access to %systemroot%\system32\grouppolicy\user\registry.pol.
 
That'll stop the admin being able to read or apply the local user policy.
 
You'll just have to get a bit creative with regard to how you modify the
policy (another special purpose admin local user).
 
regards,
 
Rick

Ulrich Mack
Volante Systems Ltd
18 Heussler Terrace, Milton 4064
Queensland Australia.
Ph: +61 7 3246 7704
email: rmack@xxxxxxxxxxxxxx
web: www.volante.com.au




-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jeff Durbin
Sent: Saturday, 9 October 2004 7:45 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally


There is no way that I know of to set permissions on the local GPO. 


  _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robinson, Nick
Sent: Friday, 8 October 2004 2:01 p.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally



What if I were to use a local GPO? I can see where to create the policies
but not exempt the admin in local.

 

Nick

 

-----Original Message-----
From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
Sent: Friday, October 08, 2004 3:50 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally

 

That's fine if you want those users to receive the same GPO restrictions
when they log onto a local machine. The alternative to this is to move your
Citrix servers into an OU, apply one of more Group Policy objects to the OU,
and enable loopback processing for those GPO's (technically, you need to
enable loopback only on the first GPO that will apply to the Citrix servers,
but there's no harm in setting it on all of the GPO's that apply to the
Citrix servers in case you add/remove/change priority). Then use permissions
on the Group Policy objects to determine what users receive the GPOs' user
settings.

 


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of John Hardwick
Sent: Friday, 8 October 2004 12:08 p.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally

Nick,

 

You need to make a different OU to put the user's in vs the admins. put like
the admin in the top level and then the user's below them in their own OU or
something.  Group policy objects can only be applied at the OU level.

 

John Hardwick

President

nXio, LLC.

913-754-8120 x125

www.nxio.net


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robinson, Nick
Sent: Friday, October 08, 2004 1:58 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally

 

I should know this, I admit but when setting these Group Policies, how can I
exclude the admin account or any other account. I'm setting the policy so
the users can't see the A,C,D drives but I still want the Admin to see them.

 

Thanks

Nick

 

-----Original Message-----
From: John Hardwick [mailto:jhardwick@xxxxxxxx] 
Sent: Wednesday, October 06, 2004 3:40 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Using the Citrix desktop......finally

 

Nick,

 

A couple of notes. I'm going to assume your on 2k or 2003 with group policy

 

1.       There is a group policy that will let you hide server drives as
well as prevent access to them.  

2.       Remove all of the new document types from the default user template
directory to keep users from right clicking and creating new document types.

3.       That leads to this one which is again removing the ability to save
/ run things from the desktop.  Given traditional group policy options there
is nothing to prevent a user from saving a txt file to the desktop per say
and then renaming it to a cmd script and running it.  You are able to bypass
command prompt restrictions etc that way.  There is however a group policy
option to disable content menus in explorer.  I am pretty sure there is a
way with software restrictions under group policy to prohibit .cmd scripts
from running from locations other than those you specify though.

4.       If you remove the run command from the start menu you may notice
some oddities with IE where a user types in "http://URL";  vs "URL" (or other
way around) and receives an error message.  I haven't tested this yet to see
if things changed in 2K3.  There was no work around last I knew.

5.       I personally redirect all of the user's profile parts to UNC
shares. their desktop, start menu, etc.  This allows for fewer problems when
roaming and if the user for example has a file they save to their desktop on
their "desktop connection" it still allows for it to be available if they
have a published app open on another server.  

 

There were my quick thoughts.  I've always tried to push users more and more
and more towards published apps mostly to help with load balancing but it
also really helps with the security concerns.

 

- John.

 

John Hardwick

President

nXio, LLC.

913-754-8120 x125

www.nxio.net


  _____  


From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Robinson, Nick
Sent: Wednesday, October 06, 2004 3:32 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Using the Citrix desktop......finally

 

I normally give my users applications to work with in Citrix and NOT the
entire desktop since we only use Citrix for a couple of applications across
a frame relay circuit, works great. But... we are spreading our wings. I
have installed a frame relay circuit to the UK and now trusting domains. Now
I think I've decided to let my new users have a desktop. In the past on this
list, I've noticed a lot of conversation about what to let users
see/have/use on desktops and I usually disregard these conversations since
they really didn't apply to me but now they do.

Finally my questions:

1.                          in windows explorer, I want the users to see the
mapped drives and their C$ drives but not the physical drives of server. How
can I make this happen if possible?

2.                          What do I need to change/add to each desktop?
Things that may have bitten you already and would recommend me changing or
adding.

 

 

Nick Robinson

 

 

  _____  

This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this e-mail has
been sent to you in error.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is prohibited.  If you have received it
in error please notify the sender immediately by reply e-mail and destroy
all copies of this e-mail and any attachments.  All liability for direct and
indirect loss arising from this e-mail and any attachments is hereby
disclaimed to the extent permitted by law.
  _____  


Notice: This transmission contains confidential information intended only
for the use of the individual or entity to whom it is addressed.  Any
disclosure, copying, distribution, or action in reliance on the contents of
this transmission is strictly prohibited by anyone except the party to whom
it is addressed.

Other related posts: