In another scenario, an organization can require differing types of access for different types of users. In this scenario, any setting under the “user” portion of the GPO will have to monolithic, meaning every user will have the same setting.
In the scenario where the integrator has no control over the GPO’s on the user’s OU’s, and the GPO’s could very well be conflicting, (in terms of which drive letters are hidden or revealed, for example, or how locked down a machine is), the integrator can use “loopback-replace”, to cancel out any user-settings that may have been assigned at the user OU, and then use another GPO to set all the user-settings that the users will have, when logging in to servers in that OU. After setting it to “Enabled”, on the GPO of the OU of the Citrix server, the integrator has the option of setting it to either “merge” or “replace” mode. The key to controlling what happens is the “User Group Policy loopback processing mode” GPO setting. User settings will be read in AD first at the computer OU, but then at the user OU, and the user OU will win out if there are any conflicts, by default. But if we set a “user” GPO and put it on our one SERVER organizational unit, by default, we don’t get the guarantee that our GPO will work. In the case of the “folder redirection” GPO, we have to configure the GPO in the “user” section, since there is no corresponding setting in the “computer” section. In this case the Citrix integrator needs to be able to “lock-down” the Citrix SERVER Organizational Unit, so that already-existing users with conflicting user settings can come in without threatening the stability of the Citrix implementation. If we are building the AD from scratch along with the Citrix implementation, we might as well create the “Citrix Users” OU but we might more likely be bringing Citrix into an AD implementation that already exists, for completely different designs than “terminal services”, and the users already may have GPO’s controlling things like folder redirection and hiding server drives, in ways that conflict with what we need them to do.
But there are a few different scenarios to look at with the users. As the Citrix integrator, we need to be able to control the type of access the users are getting when logged on to the Presentation Servers, and we use GPO’s, on an OU, to accomplish this.Īs far as the users, they also don’t belong in a folder, but in an Organizational Unit. The “loopback merge” or “loopback replace” setting in group policy can be a critical component to getting the control over user access that a Citrix implementation requires:įirst of all, the users don’t go in the users container, and the Citrix servers don’t go in the computers container, because they can’t be controlled with group policies instead, separate containers, “OU’s”, are created by the AD administrator.Īt the minimum, we require a single OU for the Citrix server we are implementing.
(used in conjunction with two others – “- do not detect slow connection” and “-wait for remote profile to load”)
LOOPBACK PROCESSING GPO WINDOWS
There is an Excel spreadsheet called PolicySettings.xls that is searchable, and contains detailed explanations of each setting in the default Windows 2003 SP1 templates.īut there are a few key settings among all the registry keys that are critical to the success of a Citrix implementation. Windows 2003 Group Policies can do a lot of things it’s such a big list of things that you can do in a Group policy, with the default templates, that it can be difficult to find a setting among the hundreds of fields and sub-fields in the Group Policy tool in Active Directory.
0 kommentar(er)
