| Group Policies give you the means of controlling what users and computers can do when logged on. You can do this by controlling their desktop, network connections and user interface. You do this to ensure that users have what they need to perform their jobs, but do not have the ability to corrupt or incorrectly configure their environment. Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in a MetaFrame XP environment you need policies applied to just the MetaFrame XP Servers and the users who log in to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. With the Group Policy loopback policy, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific OU. Merge Mode - In this mode, when the user logs on, the user's list of GPOs is gathered normally by using the GetGPOList function. The GetGPOList function is then called again, using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list. Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used. NOTE: Loopback is supported only in a purely Windows 2000based environment. Both the computer account and the user account must be in Active Directory. If either account is managed by a Microsoft Windows NT 4.0based domain controller, loopback does not function. The client computer must be a Windows 2000based computer. For more information, please refer to the Microsofts support web site. Step-by-Step Guide to Understanding the Group Policy Feature Set http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp The following sections will describe how to prepare the Active Directory and create Group policies.
When MetaFrame XP Servers are in a Windows 2000 Active Directory domain, the domain administrator needs to implement Group Policy Objects (GPOs) that affect only the MetaFrame XP Servers to control the user environment. The following describes the recommended process of applying GPOs to MetaFrame XP Servers without adversely affecting other Windows 2000 servers and workstations on the network. The first option is to create an organizational unit (OU) specifically for the MetaFrame XP Servers in Application Server mode. This OU allows specific GPOs to be applied to only those MetaFrame XP Servers and computers, creating a tightly controlled MetaFrame XP experience for the users without affecting the other servers and workstations in the Active Directory domain. This OU should not contain users or other computers; therefore, domain administrators can fine-tune the MetaFrame XP experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.
To create a new OU for the MetaFrame XP Servers, follow these steps: 1. Click Start click Programs click Administrative Tools Click Active Directory Users and Computer and click Action New Organizational Unit. 
2. Enter the name for the OU that will house you Citrix MetaFrame XP Servers. Click OK 
3. You are now ready to move the desired MetaFrame XP Servers to the newly created OU. Locate the MetaFrame XP Server in question (located in the Servers or Computers OU). Right click on the desired server and click Move. 
4. Click the newly created OU dedicated for MetaFrame XP Servers and click OK. 
5. From the MetaFrame XP Server console of the server(s) added to the newly created OU click Start click Run type: MMC and click OK. 6. Click Add/Remove Snap-In 
7. The Add/Remove Snap-In box opens and click Add. 8. Click to select Group Policy and click Add. 
9. Click Finish 
10. Click Close 11. Click OK 12. Open the Local Computer Policy and drill down to: Computer Configuration Administrative Templates System Group Policy folder and doube click to select User Group Policy loopback processing mode. 
13. Click to select the Enabled radio button and click OK. 
14. Repeat steps 3 and 4 for every MetaFrame XP Server running in Application mode. You are now ready to create group policies to customize and lockdown the user environment and experience.
For the purpose of example, the following illustrates how to create a Group Policy made up of miscellaneous changes along with the MIAB.ADM file. 1. Right click on the OU created above and click Properties 
2. Click New 
3. Give a name to the newly created Group Policy Object. 
1. Click Properties assign users / groups to be assigned to the GPO. As you see in this example I have given deny access to to the CTX Admins group to verfiy the the policy will not be implemented and have applied the GPO to the CTX Users group. 2. Click OK with finished.
3. Double click on the newly created Group Policy Object to open and edit the group policies. 
NOTE: Most of the relevant settings are under Computer Configuration, Security Settings, or Local Policies. For example, under User Rights Assignment in the list on the right, you find Log on Locally, which is required for logging on to a session on Terminal Services; and you find Access this computer from the network, which is required to connect to the server outside of a MetaFrame XP session. This is also where you can prevent users from being able to shut down the system and other functions. 4. If you will be adding or removing an Administrative Template you will need to right click on Administrative Templates and click Add/Remove Templates. 
5. The Add/Remove Templates windows opens and you are able to add or remove the desired template. For this example we will be adding the MIAB.ADM file. Click Add to add a customer Administrative Template. 
6. Browse to the location of the MIAB.ADM file found in the Methodology in a Box download and click Open. 
7. Click Close. 
8. Reopen the Group Policy and click the Administrative Templates folder in User Configuration section of the policy. Click View from the action menu bar and uncheck Show Polices Only. 
9. Due to a bug in Users and Computer you will need to close down the policy and reopen it. 10. You will now find a Project in a Box v.2.0 section in both the Computer Configuration and User Configuration sections of the Group Policy tool. The following are the four different pages of configuration settings found in MIAB.ADM. + Computer Configuration Administrative Templates Project in a Box v.2.0 
+ Computer Configuration Administrative Templates Project in a Box v2.0 User Override on Win Station 
+ User Configuration Administrative Templates Project in a Box v2.0 
+ User Configuration Administrative Templates Project in a Box v2.0 SAP 
11. Make the appropriate changes to the Group Policy Object and close the policy. You have now successfully added MIAB.ADM and configured the settings. I highly recommend doing the same for a HideCalc ADM file as documented below. This will give you a wider selection of drives to hide (including not only the server drive letters but also any Citrix related file shares).
|