Our Information Security Policy screens will be locked after 15 minutes of in-activity.
We’ve recently built a new ‘secure’ build of a Thin Client OS (Embedded Standard 2009), which log on locally with a basic user account, which is fully locked down and the devices aren’t joined to our domain. The device connects to our Citrix portal (Web Interface) and the user is then prompted for domain authentication to access their applications.
This is where the issue comes in! How can I make the Citrix instance (applications) lock after 15 minutes of inactivity and re-prompt for that users’ domain credentials? I thought about doing this by setting the Terminal Services Manager to end an idle ICA session after 15 minutes.
However, this will somewhat annoy our other non thin client (laptops etc which are joined to the domain) Citrix users who already have their screens locking under our domain policies. Is there a policy or way that I can disconnect certain users’ (only the thin client users) Citrix instances after 15 minutes of inactivity and then prompt for re-authentication when they reconnect?
Kind Regards,
Luke
Hmm, it sounds like you have all the correct settings. Have you tried testing with a new user account?
FYI: Screen savers don't work with published applications, only with published desktops - see CTX113039 for details.
Alan Osborne
President (MCSE, CCNA, VCP, CCA)
VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB
VCIT website My Blog
You could use the GPO for pushing these settings.For all Thin Client (or non domain computers) you make a separate OU in the AD.On that OU Non-domain-computers, create a policy with the settings to lock-down with domain credentials after 15 minutes.
You could set this policy also on all users or all computers.
Should work.
Läslo
"one day not online is a day fully lifed!"
Hi,
You can use a GPO to lockout the account after a specified idle time and apply that GPO only to TS users by using GP loopback, then attaching that GPO to the OU containing the XenApp servers. The GP settings contained within the GPO will then be applied to TS users only.
Look under User Configuration -> Administrative Templates -> Control Panel -> Display for:
Screen Saver
Screen Saver executable name
Password protect the screen saver
Screen Saver timeout
Pick and enable a screen saver, specify a timeout, and enable password protect.
Perfect! Thanks for that, I'll give it a try shortly.
So I've applied a policy to the OU containing my Citrix Servers and set security filtering so that it will only apply to my domain account (whilst I'm testing). The policy settings are:-
Computer Configuration (Enabled)Administrative TemplatesSystem/Group Policy User Group Policy loopback processing mode Mode: Replace
User Configuration (Enabled)Administrative TemplatesControl Panel/Display Hide Appearance and Themes tab Enabled Hide Desktop tab Enabled Hide Screen Saver tab Enabled Hide Settings tab Enabled Password protect the screen saver Enabled Prevent changing wallpaper Enabled Remove Display in Control Panel Enabled Screen Saver Enabled Screen Saver executable name Enabled Screen Saver executable name : %systemroot%\system32\scrnsave.scr Screen Saver timeout Enabled Number of seconds to wait to enable the Screen Saver Seconds: 10 (for testing)
When I run a Resultant Set of Policies on the Citrix box I'm logged onto the settings are all applied to my user account. However, I leave my screen inactive for 10 seconds (tried up to 10 minutes) and it still doesn't lock or present the screen saver! It appears as though the settings still aren’t applying.
Am I missing something obvious here?
Any ideas?
Thanks in advance.
More messing around and testing but still no joy.
Anyone got any ideas on this one?
Are your thin clients running Windows XP Embedded? If so, you could always domain join them, have them log in with a generic user account, and then apply a screensaver policy to the thin clients.
Hmm that's where I'm coming unstuck - we use published apps, not a published desktop.
I'm not joining the machines to the domain, the whole point of not joining them is to lock down the local machines as much as possible and even if I applied a screensaver to them locally the screen needs to challange for the users' Citrix / Domain logon details, not the local auto logon user.
I have a published application which automatically locks the screen when published, but I need the screen to also auto lock after 10 minutes on inactivity.
Hmm any ideas on how to achieve this?
Ahah! Fixed it!
Changed the policy so instead of running a .SCR file it now runs "rundll32.exe user32.dll, LockWorkStation" - works perfectly! :-)
Thanks for all your help.
Regards,
Well - This was working but now isn't. Hmmm.. well I think it was working.
The policies are all applied but the screens will not lock after 10 minutes of inactivity. Anyone have any ideas on this?