29. Implement Windows System Policies

The Ultimate Citrix Install Guide

1. Implementation Overview

2. Prepare the Network Environment

3. 3^rd Party IMA Data Store Installation & Maintenance.

4. Install Operating System

5. Install MetaFrame XP with Feature Release 2

6. Tweak Windows 2000 / MetaFrame XP

7. How to Install and Configure Microsoft Office 2000

8. Install Image Applications

9. Rapid Server Deployment

10. Install Manual Applications

11. Resource Manager 2.2 Counters Explained

12. How to Setup Automatic Reboot for MetaFrame Servers

13. MetaFrame Delegated Administration.

14. How to Set the MetaFrame Server Preference for Data Collector Elections

15. How to Create a Zone & Move MetaFrame Servers to it

16. Citrix User Policies

17. How to Implement Automatic ICA Client Updates

18. Client Drive Mapping

19. How to Implement Client to Server Content Redirection

20. How to Implement Server to Client Content Redirection

21. Publishing through the Citrix Management Console

22. How to Build a Stable Printing Environment

23. NFuse Integration

24. How to Secure an Internet Information Services (IIS) Server

25. How to Secure ICA Session Traffic with Citrix Secure Gateway (CSG) 1.1

26. MetaFrame XP Remote Administration Tools

27. ICA Clients

28. Microsoft Terminal Services License Server

29. Implement Windows System Policies.

30. Implementation - Checkpoint

6 - Readiness Phase

7 - Rollout Phase

8 - Appendix

When users access a session through a MetaFrame server, by default, they have access to all files, features and applications on the server. This gives a stray user the ability to detrimental effect all other users of the MetaFrame server. In order to prevent this behavior you will want to lockdown the environment through Computer and User Policies.

A Policy is a set of registry settings that defines the computer resources available to an individual or to a group of users. Policies define the various facets of the desktop environment that a system administrator needs to control, such as which applications are available, which applications appear on the users desktop, which applications and options appear in the Start menu, who can change their desktops and who cannot, and so forth. System policies can be implemented for specific users, groups, computers, or for all users.

In the following sections, I have documented how to implement Policies in both a Microsoft NT 4.0 and or Novell Netware environment and a Windows 2000 Active Directory environment. You will also find a great Administrative Template (MIAB.ADM) that incorporates most of the changes found throughout this document and a few more and how to add and configure it.

29. 1. MIAB Administrative Template Overview

Keeping with the goal of this project of making things simple, a gent named Tahir Saleem created an awesome Administrative Template (MIAB.ADM) to tweak and configure a MetaFrame server.

MIAB.ADM allows you to configure the following:

Source Path for windows installation

Open In Notepad. When right clicking on a file you will have the option to open it in Notepad

Command Prompt settings. Sets the following command prompt options:

o ScreenBuffer is set to 300 lines.

o WindowSize is set to 40 lines.

QuickEdit and InsertMode is Enabled

Set IRPStackSize

Set SNMP Contact

o Contact Name

o Location

Disables the configure server wizard

Report Cached Credentials. When logged on with Cached Credentials report this to the user.

Default Logon Domain. Sets the Default Logon Domain to the specified value. In a trusted environment this may be useful.

File name completion enabled in command prompt

Command Prompt Here. When right clicking on a drive or directory you will have the option to open a Command Prompt at that location

Configure TCPKeepAlive

Enable ICAKeepAlive

Disable Paging of NTExecutive

Disable Dr. Watson

Disable Printer Beeps

Disable Printer Pop-up message

Disable System Hard Error Messages

Increase Idle Connections to handle peak logon periods

Set WinStation UserOverrides:

AutoEndTasks

CusrorBlinkRate

DragFullWindows

MenuShowDelay

WaitToKillAppTimeout

SmoothScroll

Wallpaper

MinAnimate

Active Title Bar Colour for ICA Connections

Active Title Bar Colour for RDP Connections

Remove Outlook Express from the Quick Launch bar and Start Menu.

Prevent last access time stamp from being updated on NTFS partitions

SAP Settings

Enable/Disable New Visual Design

Disable Splash Screen

Disable Animation

Disable logging of Print events in Event Log

Change IM 2.0 default install drive

Set Default License Server

Hide Specified drives

Disable the Configure Server Wizard

Important: The MIAB Administrative Template is written for Windows 2000 Active Directory Group Policys ONLY.

; Methodology in a Box

; Terminal Server tunings.

; Version: 1.0

; By Tahir Saleem, NettSpesialisten

; saleem@nettspes.no

#if version <= 2

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CLASS USER ;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!GPOnly

POLICY !!GPOnlyPolicy

KEYNAME "Software\Policies"

PART !!GPOnly_Tip1 TEXT

END PART

PART !!GPOnly_Tip2 TEXT

END PART

PART !!GPOnly_Tip3 TEXT

END PART

PART !!GPOnly_Tip4 TEXT

END PART

PART !!GPOnly_Tip5 TEXT

END PART

END POLICY

END CATEGORY

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CLASS MACHINE ;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!GPOnly

POLICY !!GPOnlyPolicy

KEYNAME "Software\Policies"

PART !!GPOnly_Tip1 TEXT

END PART

PART !!GPOnly_Tip2 TEXT

END PART

PART !!GPOnly_Tip3 TEXT

END PART

PART !!GPOnly_Tip4 TEXT

END PART

PART !!GPOnly_Tip5 TEXT

END PART

END POLICY

END CATEGORY

#endif

#if version >= 3

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CLASS USER ;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!MIAB

POLICY !!HideDrives

EXPLAIN !!HideDrives_Help

KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

PART !!HideDrives_txt NUMERIC

VALUENAME "NoDrives" MAX 1000000000

DEFAULT "0"

END PART

END POLICY

POLICY !!ConfigServerWizard

KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome"

EXPLAIN !!ConfigServerWizard_Help

ACTIONLISTON

VALUENAME "srvwiz"

VALUE NUMERIC "0"

END ACTIONLISTON

END POLICY

POLICY !!DisableICW

EXPLAIN !!DisableICW_Help

KEYNAME "Software\Microsoft\Internet Connection Wizard"

VALUENAME "Completed"

END POLICY

POLICY !!Console

KEYNAME "Console"

EXPLAIN !!Console_Help

ACTIONLISTON

VALUENAME "ScreenBufferSize"

VALUE NUMERIC "19660880" ;300 Lines

VALUENAME "WindowSize"

VALUE NUMERIC "2621520" ;40 Lines

VALUENAME "QuickEdit"

VALUE NUMERIC "1"

VALUENAME "InsertMode"

VALUE NUMERIC "1"

END ACTIONLISTON

END POLICY

CATEGORY !!SAP

POLICY !!SAPVisual

KEYNAME "Software\SAP\General\Enjoy"

EXPLAIN !!SAPVisual_Help

PART !!SAPGUIch DROPDOWNLIST REQUIRED

VALUENAME "Active"

ITEMLIST

NAME Off VALUE "Off" DEFAULT

NAME On VALUE "On"

END ITEMLIST

END PART

END POLICY

POLICY !!SAPAnimation

KEYNAME "SOFTWARE\SAP\General\Appearance"

EXPLAIN !!SAPAnimation_Help

PART !!SAPAnich DROPDOWNLIST REQUIRED

VALUENAME "Animation"

ITEMLIST

NAME Off VALUE "Off" Default

NAME On VALUE "On"

END ITEMLIST

END PART

END POLICY

POLICY !!SAPSplash

KEYNAME "SOFTWARE\SAP\General\Appearance"

EXPLAIN !!SAPSplash_Help

PART !!SAPSplach DROPDOWNLIST REQUIRED

VALUENAME "SplashOff"

ITEMLIST

NAME Off VALUE NUMERIC 1

NAME On VALUE NUMERIC 0

END ITEMLIST

END PART

END POLICY

END CATEGORY ;SAP

END CATEGORY ;MIAB

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CLASS MACHINE ;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!MIAB

POLICY !!SourcePath

EXPLAIN !!SourcePath_Help

KEYNAME "Software\Microsoft\Windows NT\Currentversion"

PART !!SourcePath EDITTEXT

VALUENAME "SourcePath"

DEFAULT "\\Servername\I386"

END PART

END POLICY

POLICY !!CompletionChar

KEYNAME "Software\Microsoft\Command Processor"

EXPLAIN !!CompletionChar_Help

ACTIONLISTON

VALUENAME "CompletionChar"

VALUE NUMERIC 9

VALUENAME "PathCompletionChar"

VALUE NUMERIC 9

END ACTIONLISTON

ACTIONLISTOFF

VALUENAME "CompletionChar"

VALUE NUMERIC 64

VALUENAME "PathCompletionChar"

VALUE NUMERIC 64

END ACTIONLISTOFF

END POLICY

POLICY !!InternetMIB

EXPLAIN !!InternetMIB_Help

KEYNAME "System\CurrentControlSet\Services\SNMP\Parameters\RFC1156Agent"

ACTIONLISTON

VALUENAME "sysServices"

VALUE NUMERIC 72

END ACTIONLISTON

PART !!ContactName EDITTEXT REQUIRED

VALUENAME sysContact

END PART

PART !!Location EDITTEXT REQUIRED

VALUENAME sysLocation

END PART

END POLICY

POLICY !!CachedCridentials

KEYNAME "software\Microsoft\Windows NT\CurrentVersion\Winlogon"

EXPLAIN !!CachedCridentials_Help

ACTIONLISTON

VALUENAME "ReportControllerMissing"

VALUE "TRUE"

END ACTIONLISTON

END POLICY

POLICY !!DefaultDomain

KEYNAME "software\Microsoft\Windows NT\CurrentVersion\Winlogon"

EXPLAIN !!DefaultDomain_Help

PART !!DefaultDomain_TXT EDITTEXT

VALUENAME DefaultDomainName

END PART

END POLICY

POLICY !!TCPKeepAlive

KEYNAME "System\CurrentControlSet\Services\Tcpip\Parameters"

EXPLAIN !!TCPKeepAlive_Help

PART !!KeepAliveTime NUMERIC

VALUENAME KeepAliveTime MAX 100000

DEFAULT "60000"

END PART

PART !!KeepAliveInterval NUMERIC

VALUENAME KeepAliveInterval

DEFAULT "1000"

END PART

END POLICY

POLICY !!ICAKeepAlive

KEYNAME "SYSTEM\CurrentControlSet\Control\Citrix"

EXPLAIN !!ICAKeepAlive_Help

VALUENAME "IcaEnableKeepAlive"

VALUEON NUMERIC 1

VALUEOFF NUMERIC 0

PART !!ICAKeepAliveInterval NUMERIC

VALUENAME "IcaKeepAliveInterval"

DEFAULT "60"

END PART

END POLICY

POLICY !!DisablePagingExecutive

KEYNAME "SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"

EXPLAIN !!DisablePagingExecutive_Help

VALUENAME "DisablePagingExecutive"

VALUEON NUMERIC 1

VALUEOFF NUMERIC 0

END POLICY

POLICY !!DrWatson

KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"

EXPLAIN !!DrWatson_Help

PART !!drWatson_TXT EDITTEXT

VALUENAME "Debugger"

DEFAULT ""

END PART

END POLICY

POLICY !!Printer_Beeps

EXPLAIN !!Printer_Beeps_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Print"

VALUENAME "BeepEnabled"

VALUEON NUMERIC 0

VALUEOFF NUMERIC 1

END POLICY

POLICY !!Printer_Pop-up_message

EXPLAIN !!Printer_Pop-up_message_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Print\Providers"

VALUENAME "NetPopup"

VALUEON NUMERIC 0

VALUEOFF NUMERIC 1

END POLICY

POLICY !!Print_EventLog

EXPLAIN !!Print_EventLog_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Print\Providers"

VALUENAME "EventLog"

VALUEON NUMERIC 0

VALUEOFF NUMERIC 1

END POLICY

POLICY !!ErrorMode

EXPLAIN !!ErrorMode_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Windows"

VALUENAME "ErrorMode"

VALUEON NUMERIC 2

VALUEOFF NUMERIC 0

END POLICY

POLICY !!IdleWinStation

EXPLAIN !!IdleWinStation_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Terminal Server"

PART !!IdleWinStationPoolCount NUMERIC

VALUENAME "IdleWinStationPoolCount"

DEFAULT "2"

END PART

END POLICY

CATEGORY !!UserOverride

POLICY !!UserOverride_Desktop

EXPLAIN !!UserOverride_Desktop_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop"

ACTIONLISTON

VALUENAME "AutoEndTasks"

VALUE "1"

VALUENAME "CursorBlinkRate"

VALUE "1200"

VALUENAME "DragFullWindows"

VALUE "0"

VALUENAME "MenuShowDelay"

VALUE "10"

VALUENAME "WaitToKillAppTimeout"

VALUE "20000"

VALUENAME "SmoothScroll"

VALUE NUMERIC "0"

VALUENAME "Wallpaper"

VALUE "(None)"

END ACTIONLISTON

END POLICY

POLICY !!UserOverride_WindowMetric

EXPLAIN !!UserOverride_WindowMetric_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop\WindowMetrics"

VALUENAME "MinAnimate"

VALUEON "1"

END POLICY

POLICY !!ActiveTitleICA

EXPLAIN !!ActiveTitleICA_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Colors"

PART !!ActiveTitleICA EDITTEXT

VALUENAME "ActiveTitle"

END PART

END POLICY

POLICY !!ActiveTitleRDP

EXPLAIN !!ActiveTitleRDP_Help

KEYNAME "SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp\UserOverride\Control Panel\Colors"

PART !!ActiveTitleRDP EDITTEXT

VALUENAME "ActiveTitle"

END PART

END POLICY

END CATEGORY ;UserOverride

POLICY !!RemoveOutlookExpress

EXPLAIN !!RemoveOutlookExpress_Help

KEYNAME "SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}"

ACTIONLISTON

VALUENAME "StubPath"

VALUE ""

END ACTIONLISTON

END POLICY

POLICY !!LastAccess

EXPLAIN !!LastAccess_Help

KEYNAME "System\CurrentControlSet\Control\FileSystem"

VALUENAME "NtfsDisableLastAccessUpdate"

VALUEON NUMERIC 1

VALUEOFF NUMERIC 0

END POLICY

POLICY !!IRPStackSize

EXPLAIN !!IRPStackSize_Help

KEYNAME "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

PART !!IRPStackSizeText NUMERIC

VALUENAME "IRPStackSize"

DEFAULT "15"

END PART

END POLICY

POLICY !!CommandPromptHere

KEYNAME "Software\Classes\Directory\shell"

EXPLAIN !!CommandPromptHere_Help

ACTIONLISTON

KEYNAME "Software\Classes\Directory\shell\CommandPrompt"

VALUENAME ""

VALUE "Command Prompt Here..."

KEYNAME "Software\Classes\Directory\shell\CommandPrompt\Command"

VALUENAME ""

VALUE !!CommandPromptHere_Value

KEYNAME "Software\Classes\Drive\Shell\CommandPrompt"

VALUENAME ""

VALUE "Command Prompt Here..."

KEYNAME "Software\Classes\Drive\Shell\CommandPrompt\Command"

VALUENAME ""

VALUE !!CommandPromptHere_Value

END ACTIONLISTON

END POLICY

POLICY !!Notepad

KEYNAME "Software\Classes\*\Shell\Notepad"

EXPLAIN !!Notepad_Help

ACTIONLISTON

VALUENAME ""

VALUE "Open in Notepad..."

KEYNAME "Software\Classes\*\Shell\Notepad\Command"

VALUENAME ""

VALUE !!Notepad_Value

END ACTIONLISTON

END POLICY

POLICY !!SetIMInstallDisk

EXPLAIN !!SetIMInstallDisk_Help

KEYNAME "SOFTWARE\Citrix\AppCloning\Agent\Symbols"

ACTIONLISTON

VALUENAME "APPINSTALLDISK"

VALUE "D:"

KEYNAME "SOFTWARE\Citrix\AppCloning\Agent\Installer\Symbols"

VALUENAME "APPINSTALLDISK"

VALUE "D:"

END ACTIONLISTON

ACTIONLISTOFF

VALUENAME "APPINSTALLDISK"

VALUE "C:"

KEYNAME "SOFTWARE\Citrix\AppCloning\Agent\Installer\Symbols"

VALUENAME "APPINSTALLDISK"

VALUE "C:"

END ACTIONLISTOFF

END POLICY

POLICY !!SetDefaultLicenseServer

EXPLAIN !!SetDefaultLicenseServer_Help

KEYNAME SYSTEM\CurrentControlSet\Services\TermService\Parameters

PART !!SetDefaultLicenseServer_txt EDITTEXT

VALUENAME "DefaultLicenseServer"

END PART

END POLICY

POLICY !!TcpMaxDataRetransmissions

EXPLAIN !!TcpMaxDataRetransmissions_Help

KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

PART !!TcpMaxDataRetransmissions NUMERIC

VALUENAME "TcpMaxDataRetransmissions"

DEFAULT 10

END PART

END POLICY

END CATEGORY ;MIAB

[strings]

GPOnly_Tip1="The MIAB.adm file you have loaded requires Group Policy"

GPOnly_Tip2="in Windows 2000. You cannot use the System Policy Editor"

GPOnly_Tip3="to display Windows 2000 Group Policy settings."

GPOnly_Tip4=" "

GPOnly_Tip5="Enabling or disabling this policy has no effect."

GPOnly="Unsupported Administrative Templates"

GPOnlyPolicy="The MIAB.adm"

PIAB="Methodology in a Box v.2.0"

UserOverride="User Override on Win Station"

HideDrives="Hide Specified drives"

HideDrives_Help="Use hide calc to specify the value.\nDefault 0 show all drives.\nValue 15 hides dirve A, B, C, and D."

HideDrives_txt="Enter the result from the hidecal.xls"

DisableICW="Disable Internet Connection Wizard"

DisableICW_Help="Disable the Internet Connection Wizard. This policy prevents users from getting error message when they try to start Internet Explorer for the first time.\nRecommend to enable this policy"

CompletionChar="File Name Completion"

CompletionChar_Help="File name completion enabled in command prompt"

SourcePath="Source Path"

SourcePath_Help="Source Path for windows installation"

InternetMIB="SNMP Contact"

InternetMIB_Help="Set Contact Name and Location"

ContactName="Contact Name:"

Location="Location:"

CachedCredentials="Report Cached Credentials"

CachedCredentials_help="When logged on with Cached Credentials report this to the user"

DefaultDomain="Default Logon Domain"

DefaultDomain_Help="Sets the Default Logon Domain to the specified value. In a trusted enviroment this may be useful."

DefaultDomain_TXT="Set default domain to:"

Notepad="Open In Notepad"

Notepad_Help="When right clicking on a file you will have the option to open it in Notepad"

Notepad_Value="notepad.exe "%1""

TCPKeepAlive="Configure TCP Keep Alives"

TCPKeepAlive_Help="In inconsistent networks that are subject to periodic intervals of high network latency, ICA Clients may time out when connected to a session. When users attempt to reconnect to a dropped session, they receive a new session instead of being reconnected to their previous session. This is due to the server not being aware that the previous session was dropped.\nYou can remedy this problem by enabling TCPKeepAlive for ICA sessions that are connected through TCP. Modification of the TCPKeepAlive parameter helps to make the host server aware of any sessions dropped due to network problems. For more information about TCP parameters, see the Microsoft Knowledge Base article Q120642."

KeepAliveTime="TCP Keep Alive Time in milliseconds (Recommended 60000): "

KeepAliveInterval="TCP Keep Alive Interval in milliseconds (Recommended 1000): "

ICAKeepAlive="Enable ICA Keep Alives"

ICAKeepAlive_Help="Enable ICA Keep Alives. Because of the default parameters of the TCP/IP protocol stack in NT, sessions may have problems reliably going into a disconnected state when a connection is unexpectedly disrupted..\By This behavior ca be tuned to bring relibility back by enabling this policy"

ICAKeepAliveInterval="ICA Keep Alive Interval in milliseconds (Recommended 60): "

DisablePagingExecutive="Disable Paging of NTExecutive"

DisablePagingExecutive_Help="User-mode and kernel-mode drivers and kernel-mode system code is usually written to be either pageable or non-pageable. In cases where drivers or system code is pageable, you can use the following registry entry to keep this pageable code in RAM, but this is only advisable on systems with extremely large amounts of RAM."

DrWatson="Disable Dr. Watson"

DrWatson_Help="Citrix recommendation. Enable this policy and remove to the value to disable DrWatson.\nTo enable Dr.Watson type following into to the value filed:\ndrwtsn32 -p %ld -e %ld -g"

DrWatson_TXT="Value:"

Printer_Beeps="Disable Printer Beeps"

Printer_Beeps_Help="The Beep can decrease printing performance while deing transmitted to the client."

Printer_Pop-up_message="Disable Printer Pop-up message"

Printer_Pop-up_message_Help="Printer Dialogue can hang server while awaiting user input.\nBy default, each print job logs two informational messages to the System log. On MetaFrame servers with many users, this feature generates numerous events and fills up the log faster.\nBy enabling this policy following registry values are changeg:\nNetPopup = 0 \nEventLog = 0"

Print_EventLog="Disable logging of Print events in Event Log"

Print_EventLog_Help=""

ErrorMode="Disable System Hard Error Messages"

ErrorMode_Help="System Hard Error Messages\nMessages generated by system hard errors appear on the server console. If left unanswered on an unattended console, messages can cause ICA sessions to hang. You can configure System hard errors to create an entry in the System log instead of displaying a message on the console. Disabling the display of messages to the console decreases the likelihood of hung ICA sessions, but increases the need to monitor the event log for these types of errors. For more information, see Microsoft Knowledge Base articles Q124873 and Q229012.\nEnable this Policy to disable System Hard Error Messages."

IdleWinStation="Increase Idle Connections to handle peak logon periods"

IdleWinStation_Help="The default of 2 idle connections minimize memory used, but may not be sufficient to handle peak logon traffic. Increasing the counts helps ensure availability during peak logon periods."

IdleWinStationPoolCount=" Number of IdleWinStation (Default 2): "

UserOverride_Desktop="Set Win Station User Overrides on Desktop"

UserOverride_Desktop_Help="A feature that enables you to set some overides on some of the entries in HKEY_Current_User.\nThis Policy sets following setting:\nAutoEndTasks to 1\nCursorBlinkRate to 1200\nDragFullWindows to 0\nMenuShowDelay to 10\nWaitToKillAppTimeout to 2000\nSmoothScroll to 0\nWallpaper to none"

UserOverride_WindowMetric="Minimize graphics use"

UserOverride_WindowMetric_Help="To control users' desktops to minimize graphics use. Also see Q226931 - How to minimize Graphics Use with Terminal Server."

ActiveTitleICA="Active Title Bar color for ICA connection:"

ActiveTitleICA_Help="Color example:\n10 36 106 - Blue (Original)\n0 128 128 - NT 4.0 Green\n0 128 0 - Dark Green\n128 0 0 - Dark Red\n255 0 0 - Strong Red"

ActiveTitleRDP="Active Title Bar color for RDP connection:"

ActiveTitleRDP_Help="Color example:\n10 36 106 - Blue (Original)\n0 128 128 - NT 4.0 Green\n0 128 0 - Dark Green\n128 0 0 - Dark Red\n255 0 0 - Strong Red"

RemoveOutlookExpress="Remove Outlook Express from the Quick Launch bar and Start Menu."

RemoveOutlookExpress_Help="This is a little UI clean-up tip."

LastAccess="Prevent last access time stamp from being updated on NTFS partitions"

LastAccess_Help="For an increase performance boost in the drive subsystem, you can turn of this default behaviour by enabling this policy."

IRPStackSize="Set IRPStackSize"

IRPStackSize_Help="In Windows 2000, the valid range has changed. The valid values range from 0xB to 0x14 (11 to 20). The default value is 15"

IRPStackSizeText="Set IRPStacksize (Default 15): "

CommandPromptHere="Command Prompt Here"

CommandPromptHere_Help="When right clicking on a drive or directory you will have the option to open a Command Prompt at that location"

CommandPromptHere_Value="cmd.exe /k cd "%1""

SetIMInstallDisk="Change IM 2.0 default install drive"

SetIMInstallDisk_Help="To control the drive that Installation Manager 2.0 would install all applications to.\This policy set this to D:"

SetIMInstallDiskText="Set the installation drive"

Console="Command Prompt settings"

Console_Help="Sets the following command prompt options: \nScreenBuffer is set to 300 lines.\nWindowSize is set to 40 lines.\nQuickEdit and InsertMode is Enabled."

SetDefaultLicenseServer="Set Default License Server"

SetDefaultLicenseServer_Help="Configuring Terminal Services Servers to Request License Key Packs from a Specific License Server. Enter NetBIOS name of the designated License Server. If it is located on a remote subnet, confirm that the Terminal Services-based computer can resolve the NetBIOS name of the specified server using Windows Internet Naming Services (WINS) or Lmhosts name resolution."

SetDefaultLicenseServer_txt="Enter Default License server name:"

TcpMaxDataRetransmissions="Set TcpMaxDataRetransmissions"

TcpMaxDataRetransmissions_Help="On highly variable performing network links, it is possible to modify the behaviour of the TCP Protocol stack to make the server more accepting of link inconsistency.\nFor More information see Citrix article CTX757449, Q120642 and Q170359.\n Value 10 is recommended by Citrix"

SAP="SAP"

SAPVisual="Enable/Disable New Visual Design "

SAPVisual_Help="With this policy you can enable/disable the New Visual Design.\n To disable the New Visual Design, change the value to Off"

SAPGUIch="New Visual Design"

SAPAnimation="Disable Animation"

SAPAnimation_Help="With this policy you enable/disable the New Visual Design.\n To disable the New Visual Design, change the value to off"

SAPAnich="Animation"

SAPSplash="Disable Splash Screen"

SAPSplash_Help="With this policy you enable/disable SAP Splash screen.\n To disable the splash screen, change the value to off"

SAPSplach="Splash Screen"

ConfigServerWizard="Disable the Configure Server Wizard"

ConfigServerWizard_Help="Disables the configure server wizard"

In the following examples I will document how to import this Administrative Template in to a Windows 2000 Group Policy Object.

29. 2. How to Create an Administrative Template to Hide Drives

In order to prevent your users from browsing the MetaFrame drives you will want to hide them from the users view through system policies. This is accomplished in multiple ways but the easiest and most versatile way I have found is to utilize HideCalc to create Administrative Templates (Policy Templates). HideCalc is an awesome tool created by Sean Hegarty that does all the work for you.

The following details how to create an Administrative Template (Policy Template) to hide server drives with HideCalc.

1. Extract the contests of hidecalc.zip found in the \Utilities\ folder in MIAB2.0.ZIP file. Once extracted, double click on hidecalc.exe.

2. Enter the location you would like to save the resulting Administrative Template (Policy Template) and click Doit.

3. Click to check the server drive letters you want to hide from the users view and click the Create ADM file button.

4. Click OK.

You are now ready to import the newly created Administrative Template (Policy Template). If your MetaFrame servers are members of a Windows NT 4.0 domain you will need to import the .ADM template in to the Policy Editor utility. If your MetaFrame servers are members of an Active Directory domain then you will need to import the .ADM template in to a Group Policy Object.

29. 3. Implementing Windows 2000 Active Directory Group Policies

Group Policies give you the means of controlling what users and computers can do when logged on. You can do this by controlling their desktop, network connections and user interface. You do this to ensure that users have what they need to perform their jobs, but do not have the ability to corrupt or incorrectly configure their environment.

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in a MetaFrame environment you need policies applied to just the MetaFrame servers and the users who log in to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy.

With the Group Policy loopback policy, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific OU.

Merge Mode - In this mode, when the user logs on, the user's list of GPOs is gathered normally by using the GetGPOList function. The GetGPOList function is then called again, using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.

Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

NOTE : Loopback is supported only in a purely Windows 2000based environment. Both the computer account and the user account must be in Active Directory. If either account is managed by a Microsoft Windows NT 4.0based domain controller, loopback does not function. The client computer must be a Windows 2000based computer.

For more information, please refer to the following Web Casts and white papers:

WEBCAST: Best Practices For System Policies In Windows 2000 Networks

http://www.microsoft.com/Seminar/Includes/Seminar.asp?url=/Seminar/1033/20000622TNQ101-07BL1/portal.xml

WEBCAST: Troubleshooting Group Policy Objects in Windows 2000

http://www.microsoft.com/Seminar/Includes/Seminar.asp?url=/Seminar/1033/20010109tnt1-08/portal.xml

Group Policy Overview http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol.exe

Step-by-Step Guide to Understanding the Group Policy Feature Set

http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp

The following sections will describe how to prepare the Active Directory and create Group policies.

29. 3. 1 Prepare the Active Directory Environment

When MetaFrame servers are in a Windows 2000 Active Directory domain, the domain administrator needs to implement Group Policy Objects (GPOs) that affect only the MetaFrame servers to control the user environment. The following describes the recommended process of applying GPOs to MetaFrame servers without adversely affecting other Windows 2000 servers and workstations on the network.

The first option is to create an organizational unit (OU) specifically for the MetaFrame servers in Application Server mode. This OU allows specific GPOs to be applied to only those MetaFrame servers and computers, creating a tightly controlled MetaFrame experience for the users without affecting the other servers and workstations in the Active Directory domain. This OU should not contain users or other computers; therefore, domain administrators can fine-tune the MetaFrame experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.

To create a new OU for the MetaFrame servers, follow these steps:

1. Click Start click Programs click Administrative Tools Click Active Directory Users and Computer and click Action New Organizational Unit.

2. Enter the name for the OU that will house you Citrix MetaFrame servers. Click OK

3. You are now ready to move the desired MetaFrame servers to the newly created OU. Locate the MetaFrame server in question (located in the Servers or Computers OU). Right click on the desired server and click Move.

4. Click the newly created OU dedicated for MetaFrame servers and click OK.

5. From the MetaFrame server console of the server(s) added to the newly created OU click Start click Run type: MMC and click OK.

6. Click Add/Remove Snap-In

7. The Add/Remove Snap-In box opens and click Add.

8. Click to select Group Policy and click Add.

9. Click Finish

10. Click Close

11. Click OK

12. Open the Local Computer Policy and drill down to: Computer Configuration Administrative Templates System Group Policy folder and doube click to select User Group Policy loopback processing mode.

13. Click to select the Enabled radio button and click OK.

14. Repeat steps 3 and 4 for every MetaFrame server running in Application mode.

You are now ready to create group policies to customize and lockdown the user environment and experience.

29. 3. 2 How to Add / Edit Group Policies

For the purpose of example, the following illustrates how to create a Group Policy made up of miscellaneous changes along with the MIAB.ADM file.

1. Right click on the OU created above and click Properties

2. Click New

3. Give a name to the newly created Group Policy Object.

4. Click Properties assign users / groups to be assigned to the GPO. As you see in this example I have given deny access to to the CTX Admins group to verfiy the the policy will not be implemented and have applied the GPO to the CTX Users group.

Click OK with finished.

Double click on the newly created Group Policy Object to open and edit the group policies.

NOTE: Most of the relevant settings are under Computer Configuration, Security Settings, or Local Policies. For example, under User Rights Assignment in the list on the right, you find Log on Locally, which is required for logging on to a session on Terminal Services; and you find Access this computer from the network, which is required to connect to the server outside of a MetaFrame session. This is also where you can prevent users from being able to shut down the system and other functions.

If you will be adding or removing an Administrative Template you will need to right click on Administrative Templates and click Add/Remove Templates.

The Add/Remove Templates windows opens and you are able to add or remove the desired template. For this example we will be adding the MIAB.ADM file. Click Add to add a customer Administrative Template.

Browse to the location of the MIAB.ADM file found in the Methodology in a Box download and click Open.

Click Close.

Reopen the Group Policy and click the Administrative Templates folder in User Configuration section of the policy. Click View from the action menu bar and uncheck Show Polices Only.

Due to a bug in Users and Computer you will need to close down the policy and reopen it.

You will now find a Project in a Box v.2.0 section in both the Computer Configuration and User Configuration sections of the Group Policy tool. The following are the four different pages of configuration settings found in MIAB.ADM.

+ Computer Configuration Administrative Templates Project in a Box v.2.0

+ Computer Configuration Administrative Templates Project in a Box v2.0 User Override on Win Station

+ User Configuration Administrative Templates Project in a Box v2.0

+ User Configuration Administrative Templates Project in a Box v2.0 SAP

Make the appropriate changes to the Group Policy Object and close the policy.

You have now successfully added MIAB.ADM and configured the settings. I highly recommend doing the same for a HideCalc ADM file as documented below. This will give you a wider selection of drives to hide (including not only the server drive letters but also any Citrix related file shares).

Implementing Windows NT, Terminal Server 4.0 System Policies

MetaFrame servers that are members of Microsoft NT 4.0 domains and or Novell Netware environments, implement System Policies using policies files configured through the System Policy Editor.

The System Policy Editor is a graphical tool provided with Windows that allows you to easily update the registry settings to customize and lockdown a particular user or group of users. The System Policy Editor creates a file that contains registry settings that are then written to the user or local machine portion of the registry database. User Profile settings that are specific to a user who logs on to a given workstation or server are written to the registry under HKEY_CURRENT_USER. Likewise, machine-specific settings are written under HKEY_LOCAL_MACHINE.

How to Set the System Policy File Share Location

By default, servers reference the Ntconfig.pol located in the Netlogon share. This reference can be found in the registry, located at:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Update

In order to create specific policies for MetaFrame servers you will need to create modify the above registry key value to point to a dedicated MetaFrame policy file located on a network share. The value for this registry key is modified on a computer-by-computer basis. To modify this value, I recommend you use the System Policy Editor and modify the update section found in the network section of the default machine properties. The Common.adm administrative template defines this registry key as shown below.

Note: This change will need to be made on every MetaFrame server that you want to take advantage of System Policies.

1. Click Start click Run type: poledit and click OK. Click File Open Registry

2. Double click on the Local Computer icon.

3. The Local Computer Properties box opens. Browse to the Remote update. (expand Network System polcies update and then check the Remote update. Choose Manual (use specific path) from the Update mode drop down box and then enter the UNC location that the system policy will be stored in the Path for manual update text box. Click OK with finished.

4. Follow steps 1 through 4 on every MetaFrame server running in Application mode.

You are now ready to create user and computer system polcies.

How to add Administrative Templates to the System Policy Editor

1. Click Start click Run type: poledit and click OK.

2. Click Options click Policy Template

3. Click Add

4. Browse to a Policy Template and click Open.

5. If you would like to add more Policy Templates then repeat steps 3 and 4 when finished click OK.

You are now ready to create or edit System Policies.

How to create a System Policy with the System Policy Editor

The following procedures document how to create a system policy with the System Policy Editor utility.

1. Click Start Click Run type: poledit

2. Click Edit click Add Group

3. The Add Group dialog box will open and prompt you to enter the groups name. Click Browse to select the group

4. Select the groups you would like to add and click OK.

Note: I highly recommend you add the Domain Admins group and for every change you make to a group you make the adverse change to the Domain Admins group. This will guarantee you do not lock yourself out.

5. You are now presented with the System Policy that, in this example, consists of the Default Computer, Default User, CTX Users and Domain Admins groups. Double Click on the CTX Users account to open the policy

Note: The CTX Users account is a group made up of every user that has log on access to the MetaFrame server. I recommend crating such a group instread of using the Domain Users group.

6. You are now presented with the CTX Users Properties and are free to configure the policy by selecting polices.

7. Now that you have imported the HideCalc Policy Template you will want to enable the policy by checking the Hide Drives as defined by Hidcalc. You will also want to make other changes as well but remember to make the adverse changes to the Domain Admins group. Click OK with finished.

8. Now you will want to make the adverse policy change to the Domain Admins group to ensure that you do not lock yourself out of any features or functions.

9. Click to uncheck any policy that was enabled in step 7.

Note: An unchecked checkbox mean the policy is not enabled. A grayed out check box means it will inherit the current applied policy and a checked box means the policy is enabled.

10. Click OK.

11. Click File click Save

12. Save the policy to the policy share that was created earlier in the document.

You are now ready to test your policy and tweak them as needed.