Question on GPO



I have a Citrix farm running on Windows 2000 Server (metaframe xp FR3).

In my A/D, I have an O/U where I've placed all of my Citrix Servers.
Presently, there are very minor GPO's applied (do not allow shutdown, for

In my A/D, I have separate O/Us based upon Functional Department (Sales,
Marketing, Engineering). I place my User accounts for each department in
their respective O/Us.

I have created a GPO that specifies Folder Redirection and other USER
settings and have linked that GPO to my Functional Department O/Us.

I have created security groups (Sales Desktop Policy, Marketing Desktop
Policy) that contains the members of each group that the GPO policy must be
applied to. This acts like a filter to give us control of having a GPO NOT
apply to someone. For example, If betty and paul are in Sales, but Paul is a
manager and doesn't need to have the GPO apply, I don't have him in the
Sales Desktop Policy security group. The security groups have the ability to
READ and Apply Group Policy rights.

FInally: here's my question:

When one of my users in the Sales OU (who has the GPO applied) logs into my
Citrix box, the Folder redirection and other User Settings are not applying.

I thought user settings were to the USER and not to the computer? Since all
of my destkop management GPO settings are USER settings.

In other words, i would have expected his user profile settings to apply to
the citrix session profile and they are not.

What do I have to do to make the USER GPO settings apply to the user when
they log on to the citrix box.

it seems to me that since my settings are USER GPO settings, that they
should be applying when they logon to the citrix box.


With a Terminal Server, you need to setup the User Policy in the Group
Policy that applies to the Terminal Server. Then, under the Computer
Configuration / Administrative Templates / System / Group Policy you need to
Enable the Loopback Processing. This will force the User Settings to apply
to any user logging onto your Terminal Server.

Bruce Sanderson

User Configuration settings should apply to users regardless of what
computer (Terminal server or workstation) the user logs on to.

I suggest you use tools such as gpresult and the Resultant Set of Policies
feature of GPMC to verify that the GPOs in question do in fact apply to the
users you are interested in. Do the User settings get applied when the user
logon to workstations?

Filtering by Security Groups can be tricky to get right. I put users that
should have different user settings applied into different OUs and link the
GPOs accordingly. This is not always possible or practical, but is the
first choice I consider.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question