GP for different PC's

[Guest]

hi
Current scenario
Average user can logon to the citrix server. Obtains GP which disallows the Run command on the start menu. The policy definition is defined in the User configuration. There are other items which i've left out for the simplification of this example

Desired scenario
The same average user can logon to a workstation PC but is allowed the Run command on the start menu
When the user then logs back onto the citirx server they no longer can have the Run command on the start menu

I am happy to make up more than one GPO, but i am unable to understand how this can be done if at all
as what i am trying to do is based on the user as well as the workstation he/she is logging onto

Please hel

 

[Cary Shultz [A.D. MVP]]

Jeremy,

This sounds like you need to enable Group Policy and make use of Loopback
Processing. This way it affects only those users that log on to the
computer(s) affected by this. Please take a look at the following MSKB
Articles:

http://support.microsoft.com/?id=278295
http://support.microsoft.com/?id=260370

This first one should one should give you a bunch of possible policies to
set while the second one will lay out the big picture ( look at method 1 ).

HTH,

Cary

hi,
Current scenario:
Average user can logon to the citrix server. Obtains GP which

disallows the Run command on the start menu. The policy definition is
defined in the User configuration. There are other items which i've left out
for the simplification of this example.

Desired scenario:
The same average user can logon to a workstation PC but is allowed the Run command on the start menu.
When the user then logs back onto the citirx server they no longer can

have the Run command on the start menu.

 

[Andrew Mitchell]

hi,
Current scenario:
Average user can logon to the citrix server. Obtains GP which
disallows the Run command on the start menu. The policy definition
is defined in the User configuration. There are other items which
i've left out for the simplification of this example.

Desired scenario:
The same average user can logon to a workstation PC but is allowed the
Run command on the start menu.
When the user then logs back onto the citirx server they no longer
can have the Run command on the start menu.


I am happy to make up more than one GPO, but i am unable to understand
how this can be done if at all. as what i am trying to do is based on
the user as well as the workstation he/she is logging onto.

Quite simple to achieve using loopback processing of your group policy.

Create an OU that only contains the metaframe servers and apply the GPO that
removes the Run command to that OU. In the same GPO, browse to Computer
Configuration\Administrative Templates\System\Group Policy and enable the
Loopback Policy setting.

Loopback processing will cause user GPO settings to be applied to any user
that logs into that computer.

Have a look at the following 2 links for more details.
http://support.microsoft.com:80/support/kb/articles/q260/3/70.asp
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287

Although the fist page refers to Terminal Services, the same process applies
to metaframe servers as they are basically the same thing.

 

[Guest]

Thanks guy

I'll give it a whirl and see how it goes