Group Policy best practices for Citrix and Terminal Server environments

Written on Feb 26 2008 Filed under: Tip, Citrix 38,304 views, 29 comments

by Gabe Knuth

Recently, I created a video for Citrix's Tech Videos website covering best practices for group policies, user profiles, and folder redirection. In the video, I talk a bit about how to use each feature to your advantage on a high level - things that would work for pretty much any environment.

In this three-part article series, we're going to take a look at Group Policies, Folder Redirection, and Profiles in their own articles. I'm sure to stir up some conversation, so I want to make it clear right away that these aren't for everybody, but are high level enough to work for most. There are as many different environments as there are people reading this article, so pick and choose the solutions you use wisely, and if you have any suggestions, feel free to comment. Also, there is no mention of any third-party products here (except for Flex profiles, which will be covered in the Profiles article). This is meant to cover what you can do out-of-the-box. If you use third party utilities to make your Group Policy life easier, please post them in the comments.

Today, we'll talk about Group Policies and and some ways to build a good group policy foundation. We'll also take a quick look at Microsoft's new Group Policy Preferences feature that will be included in Windows Server 2008 and Vista SP1.

Group Policies

By now you are familiar with Group Policies, but there are a few things to get out of the way. First, if you don't have the Group Policy Management Console yet, get it. It'll make your life a lot easier from an administration, documentation, and auditing standpoint.

Next, let's go over the nomenclature that is used. Group Policies are actually broken down into a few different types of items. We have Group Policy Objects (GPO's), Group Polcies and Linked Policy Objects. These terms are used interchangeably quite often, which is fine, but when it comes down to the nitty-gritty of GP administration, it's good to know the difference:

Group Policy Objects are containers for Group Policies. A GPO is basically a group of settings, the "settings" being the individual Group Policies. Group Policy Objects are created in the domain, and are referenced at the container level by linking to the GPO--this is a Linked Policy Object. It's essentially just a shortcut to the actual GPO object in the domain.

There are many schools of thought when dealing with Group Policies. Many people are afraid to create too many policies for fear of affecting performance. In reality, the quantity of policies doesn't affect performance as much as what you're doing with those policies. If you're using policies to configure the user's environment (like the Start Menu, Control Panel, or Office settings), you can generally have as many policies as you need. However, if you're installing software with your policies, you can expect logon times to be affected as the system checks for existing software and/or installs new software. Sometimes this in unavoidable, but its important to know where the problems lie.

My favorite method of using Group Policies is to start by creating a standard default user policy object for your Terminal or Presentation servers. This policy object should have every setting that every user needs. This can be forcing the classic start menu or the default save location for Word -- anything that everyone should have configured. Inevitably, you'll run into exceptions - the secretary that has her documents stored elsewhere on the file server and wants her default save-to location to be different, for instance. In these situations, you can break that policy out of the default object and into its own policy object. The process would look something like this:

1. Using the GPMC, create and link a GPO to the same container as the default policy.
2. In your new policy object, configure the save-to location policy the exact same way as it is in the default policy object.
3. In your default GPO, change the save-to location setting to Not Configured

At this point, nothing has changed from the users' standpoint. The only backend change is that there are now two GPO's being applied to them at logon instead of one. Now we need to exclude the secretary from having that policy applied to her.

1. I usually create a group in Active Directory PE_. The "PE" stands for "Policy Exempt." In this case, I would create a group called PE_SaveLocation.
2. Add the secretary and other users for which you'd like to exempt from the policy to the group you just created.
3. In the GPMC, select the new linked policy object that you created a minute ago, and select the Delegation tab on the right side of the GPMC window.
4. Click the Advanced button, and add the PE_SaveLocation group to the ACL.
5. Select the PE_SaveLocation group, and in the bottom portion of the window, choose to DENY access to the Apply privilege.

Now, when the exempted user logs in, he or she will have the default policy applied to them, but when it's time to apply the save location policy, their access will be denied and they will be able to change the location on their own.

What typically ends up happening is you'll start with a large default policy object and no other GPO's. As time goes by and you need to exempt people from certain settings, you'll break those settings out into their own objects (with their own security). Hopefully you can identify some trends and group some of the exempted policies together, but this is not that important. It's not uncommon to end up with ten or twenty GPO's that cover all of your users.

Group Policy Preferences

The final item to talk about for this part is the new feature called Group Policy Preferences. This feature comes from Microsoft's acquisition of a company called Desktop Standard in late 2006.

Group Policy Preferences will be released with Vista SP1 and Windows Server 2008 (in RTM as of this writing). GP Preferences will essentially allow administrators to configure the same settings as you can with group policies using the GPMC. In fact, GP Preferences are deployed as part of a Group Policy Object. The difference is that GP Preferences are simply default settings that aren't necessarily enforced.

For instance, if you used a group policy to configure the default IE home page for your users, they would not be able to change the home page. They would be locked out of the interface to do so. With GP Preferences, you'll be able to configure the default home page, but the interface to change the home page will remain available to the user, and the user will be able to change it. As the admin, you'll be able to configure whether this change is static between logoffs or is reset each time the user logs back on.

GP Preferences will be included with Windows Server 2008. Admins will also be able to configure and deploy GP Preferences in a Windows Server 2003 environment by installing the Remote Server Administration Tools on a Windows Vista SP1 system (Vista SP1 is supposedly coming any day now).

GP Preferences can be supported on computers running Windows XP with SP2, Windows Vista, and Windows Server 2003 w/ SP1 by installing GP Preferences client side extensions. These allow the clients to interpret the new types of settings coming to them. Client side extensions will be available for download on Microsoft's website upon release of the Vista SP1 and/or Server 2008. The client side extension is already built in to Windows Server 2008.

GP Preferences is pretty exciting for me, as I'm always open to ways to make terminal server environments less rigid, while still maintaining control. We don't have to wait much longer to get our hands on it, though. If anyone's used the Desktop Standard product and has anything to share, feel free to leave a comment below.

Next time, we'll be taking a look at Folder Redirection and some things to consider as you configure it for your environment.

Comments

Guest wrote AppSense

on Tue, Feb 26 2008 10:45 PM

Brian,

 We have started to look at AppSense for the profile management.  Have you looked at this?  Just curious what your thoughts were on thsi.

Guest wrote Desktop Standard

on Wed, Feb 27 2008 2:40 AM

I had a look at the policy preferences at Teched in Barcelona.

The implementation into Windows Server 2008 feels like it is trown in the mix as is. By this i mean that many preference and GPO's serve a common goal, i which they overlap each other. Don't get me wrong, these preferences will give us more control over user and computer environments in ways we could only dream in previous versions, but it is just the way it is trown into the product to add more functionallity.

 

Michael Keen wrote triCerat Simplify Profiles

on Wed, Feb 27 2008 6:41 AM

Great article Brian.  My best practice going into any engagement (as you said, there are as many different environments as there are people reading your article) is an tool by an old HP colleague of mine, Richard Egenas (now with EnvokeIT in Sweden).  It is called the TS Checker/Tuner and is one of the best ways to add in the necesary settings for environments.  I can create a high level template like you mention in your article above and then tweak it to the customer environment.  For the profiles and folder redirection my best practice is the triCerat Simplify Suite.

Cheers

Guest wrote Re: triCerat Simplify Profiles

on Wed, Feb 27 2008 8:18 AM

Giving Brian credit for Gabe's article?

Guest wrote Written by:

on Wed, Feb 27 2008 8:49 AM

Do people EVER look at the "Written by:" before commenting?!?!

Guest wrote Re: Written by:

on Wed, Feb 27 2008 9:30 AM

Well it is Brianmadden.com, so Brian does deserve some Kudos!

Brian Madden wrote Re: AppSense

on Wed, Feb 27 2008 10:23 AM

Sure, but Gabe wrote this article, not me!

I like AppSense. And RES. And RTO has a cool virtual profile solution too.

Brian Madden wrote Re: Re: Written by:

on Wed, Feb 27 2008 10:28 AM

This happens a lot. I guess we need to start posting photos along with articles. Maybe this is good then and readers will want more from Gabe. We were both at a party at a friend's house about ten years ago. At the time Gabe was single and I was in a relationship. We both had conversations some random girl there, and friend of ours told her later that Gabe was single. "Which one was Gabe," she asked, "The cute one or the tall one?"

I'm 6'3"

Guest wrote Loop-back?

on Wed, Feb 27 2008 10:43 AM

I'm rather puzzled that loop-back mode for Group Policy processing wasn't mentioned in this article.  After the paragraph "start by creating a standard default user policy object for your Terminal or Presentation servers. This policy object should have every setting that every user needs." I was expecting you to mention "and select the loop-back option".  Of course, if the loop-back option is selected the rest of the advice won't work, since it works for ALL USERS on that Terminal/PS server.  I thought loop-back was a must-do for server-based computing, but maybe there are other views?

Aaron Parker wrote Re: AppSense

on Wed, Feb 27 2008 10:46 AM

I'm finding the current version of Environment Manager a little cumbersome to administer. For instance you can't import registry values (you can import the keys but you have to put the values in manually), Other items such as Copy Folder actions have to be configured individually rather than select a number of folders at once. EM does work well though and the AppSense guys always have a new version in the works, so problems you may have should be addressed fairly quickly.

Gabe Knuth wrote Re: Re: Re: Written by:

on Wed, Feb 27 2008 10:54 AM

And I was 190 pounds :)

Gabe Knuth wrote Re: Loop-back?

on Wed, Feb 27 2008 11:10 AM

Loopback is only a must-do for SBC if you are applying policies to the container where your terminal servers are.  A lot of places do this, so I probably could've mentioned it at least in passing (does that count :) ?).  It is possible, to a point, to avoid applying user policies to the container where your terminal servers reside, and doing so reduces complexity.

The thing is, this is meant to be a starting point, since there are a lot of people that don't use group policies, folder redirection, or some sort of profile management.  In a lot of ways, this article isn't intended for the hardcore guys, but more for the people who are sitting on SBC environments that they inherited or on small environments that are taking way too much time to administer.  Still, hopefully the hardcore guys can take something out of it, too.

Gabe Knuth wrote Re: Re: Loop-back?

on Wed, Feb 27 2008 11:20 AM

You know, I've been thinking about this some more.  I think that the settings that I'd configure on the terminal server container in the user policy (and would therefore need Loopback processing) would be more security related, but that's not 100% true either.   

Tell you what, I'm going to think about a way to do a writeup on Loopback processing.  Maybe I'll make this a four-part series and tack it on as another installment.  

SE wrote Re: Re: Written by:

on Wed, Feb 27 2008 12:50 PM

poor Gabe... maybe you can convince Brian to change the name of the site to brianmaddenandgabeknuth.com :)

Brian Madden wrote Re: Re: Re: Written by:

on Wed, Feb 27 2008 2:54 PM

I wonder if thetallone.com is available?

Gabe Knuth wrote Re: Desktop Standard

on Wed, Feb 27 2008 3:13 PM

I think (and only *think* until I play with it in person) that that's the point - the settings are similar, but GP Prefs is less rigid.  It's more like having a centralized location to configure the default settings out of the box, while still allowing the users to change them if the desire.  However, I think GP Prefs can also be enforced to some degree, so I'm sure there are some situations where you could use either to accomplish the same goal.

Guest wrote How to video on Mac

on Thu, Feb 28 2008 12:37 AM

Does anyone know how I could view the video files on Citrix's website from a Mac with firing my windows VM in Parallels/Fusion?

Guest wrote Loopback processing

on Thu, Feb 28 2008 2:58 AM

Keep in mind the basics about group policy processing.

First computer policies and thus policies applied to the computer object are applied, after that user policies are applied. Meaning certain computer policies are overwritten by the user policy. If you want computer policies to be applied after the user policy has been processed, you have to use loopback processing mode.

When loopback processing mode is in merge mode, the user policies (Policies applied to the user object) are applied and than computer policies are re-applied. In replace mode, user policies (Policies applied to the user object) are discarded.

Andreas wrote Desktop Standard free edition

on Thu, Feb 28 2008 8:06 AM

Gabe asked for sharing experiences with the desktop standard product.

We use the the freeware edition of the group policy client-side extension since three years.
There are several desktops published in the farm.
With loopback processing and option replace you get just one desktop per server.
The desktop, start menue and programs are stored in a folder structure per published application (=desktop).
By means of the group policy client-side extension we define an enviroment variable which contains the name of the published application.
This environment variable is used in an other GPO with folder redirection.
With this method we get a desktop per application and user in a loop back scenario.

In our environment we use a homegrown session management which enables any application for any server and user at the same time.
Of course there are no conflicting applications.
The heart of the settings is a xml file with now 2000 lines.
Personally I feel much more comfortable to edit one configuration file and not a a bunch of several hundred group policy references scattered over a lot of gpos.

The real problem and for me a showstopper is the missing import feature. I would like to transform the already existing settings and import it into new or existing gpos.
The gui for the definition of settings and filters is very impressive and powerful. But as already mentioned the settings will be scattered over a more or less greater number of gpos.
And it will cost a lot of time to search for settings to change. And if you use the filters, you will have a problem to get a picture of the flow of control during the processing of the group policy preferences.

my 2/100 of €

Andreas

Gabe Knuth wrote Re: How to video on Mac

on Thu, Feb 28 2008 10:39 AM

I run a Mac and it works for me right in the browser.  I have Flip4Mac installed, though.  You can search for Flip4Mac, but try this site: http://blog.twenty08.com/2006/12/27/codec-pack-for-all-the-new-mac-users/

They have a "codec pack" for the Mac that includes things like DivX and XviD as well.  The Citrix videos are in WMV9 format, so for you, Flip4Mac should solve your problem (which is also included in that codec pack, I think).

Patrick Rouse wrote Re: Loopback processing

on Fri, Feb 29 2008 11:47 AM

Gabe's video was excellent. Here are the best practices (according to me) for designing GPO for TS, without going into all of the individual settings:

1. Create an OU to contain a set of Terminal Servers
2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting your Terminal Servers.
3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU.
4. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add the Terminal Servers from this OU to this group.
5. Create a GPO called “TS Machine Policy” linked to the OU
6. Check “Disable User Configuration settings” on the GPO
7. Enable Loopback Policy Processing in the GPO
8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the Terminal Servers
9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”.
10. Check “Disable Computer Configuration settings” on these GPO
11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny Apply Policy is enabled for user to which the policy should not apply.

With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User Configuration portion of the GPO is processed) for the target user population.

Patrick Rouse
Microsoft MVP - Terminal Server
SE, Western USA & Canada
Quest Software, Provision Networks Division
Virtual Client Solutions
(619) 994-5507
http://www.provisionnetworks.com

Guest wrote Re: Re: Loopback processing

on Sat, Mar 1 2008 4:01 PM

- I also like to split my custom adm files by machine and user and only import the part that is enabled for that gpo. I guess this is more inutition than anything else, but it seems like a smaller user gpo would be more efficient.

Mark

Guest wrote When looking at alternatives to Group Policies why not look to Open Source

on Thu, Mar 6 2008 7:29 AM

C'mon guys stop with the shameless vendor plugs.  There is a good, no I should say GREAT, solution out there that is Open Source and they are a Citrix Partner to boot.  To manage user profiles, skip the convuluted Group Policies and the other vendors mentioned.  Script Start is Open Source and its so easy Templeton himself could set it up. 

David Chivers wrote Re: Re: Loopback processing

on Thu, Mar 6 2008 9:10 PM

Why bother with the "Terminal Servers" security group when the policy will apply to all objects in the OU by default anyway?

If you have only Computer policy settings in your "TS Machine Policy" (which is the only reason why you would select "Disable User Configuration settings") then enabling Loopback is irrelevant. Loopback is used to enforce the User Configuration that you have just disabled.

Using "Deny" permissions is a cool idea to make a policy exception, but if you are filtering two security groups from using each other's policies you could run into problems if a user is a member of both. I'd tend to just filter on the Allow. It is these two policies that would need Loopback turned on.

N Vickers wrote Re: Re: Loop-back?

on Sat, Mar 8 2008 4:22 AM

Actually it is difficult to do justice to this subject in such a short space.  There seems to be an implicit assumption in the article that the environment into which the GPOs apply is 100% TS/Citrix, or even that AD is set up in such a way so as to be conducive to separating out the way the TS environment is handled from the way a fat client is handled.

 I've always strived to maintain global policies where possible, mainly for the sake of KISS.  These are the basic settings that apply to all users.  Then where necessary, I use GP Loopback processing in merge mode to do the TS specific settings.  

 Underlying this is the assumption also that a similar user experience is desirable for both fat and thin client environments.  Depends what you're doing really.  So many variables involved!

Guest wrote Re: Re: Re: Loopback processing

on Sat, Mar 8 2008 1:11 PM

loopback makes the GetGPO call read up the machine OU rather than the User object OU- this impacts all user sections from all GPOs processed by that machine- not just the GPO where you set loopback.  Put it in the lab if you don't believe me.

Mark Colburn wrote Re: Re: Re: Re: Loopback processing

on Sat, Mar 8 2008 1:19 PM

Sorry, wasn't logged in again.

 Mark

Roger Liu wrote Re: Desktop Standard free edition

on Fri, Mar 28 2008 12:54 PM

Desktop Standard is a brilliant GUI tool that you can use to create many features that is quite difficult by Windows GPMC.

You can easily change the registy settings without creating gp template. You know, for windows most of settings are in registry, this means you can easily configure machine settings and user settings in a centralized manner. Although you can also do it with windows default GPMC, but with lot more efforts.

Guest wrote Re: triCerat Simplify Profiles

on Tue, Jul 29 2008 4:25 PM

I have significant issues with TriCerat, with many features turned off due to serious server overhead. I'm redesigning the farm with GPOs rather than this product.

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.