Group policy question

[gerbieIT]

Hi!

I am trying to set up a group policy for users my documents to be redirected to their home directory. I can get it to do it for any place they log into but I only want to limit it to my 2 citrix servers. Any help would be greatly apperciated!!

Thank you!

 

[porkchopexpress]

The Group Policy loopback feature might help take a look at this link it's for Terminal Services but the same principal should apply. It basicall enforces the user policy that is applied to the computers OU rather than the users.

http://support.microsoft.com/?kbid=260370

 

[ncotton]

Place the citrix servers in a seperate OU, apply your policy to the CitrixSrvOU, in the policy enable the following setting:

Computer Settings > Administrative Templates > System > Group Policy :: User Group Policy Loopback Processing = ENABLED

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[gerbieIT]

I am not familiar with with the loopback setting in GPO's. What does it do?

Thanks again for the help!!

 

[ncotton]

Basically, a policy has two sections

Users Settings
Computer Settings

a "session" also involes a user and a computer. When you apply a policy object (containing both settings), you can link it to either a computer (OU containing computers accounts only) where only the Computer Settings will be applied. Or to a User (OU of Users) where only User Settings can be applied. Or both, so linking to an OU that contains users and computer (or in lower level OUs)...where both user and computer settings are processed....you can see this at the Domain level Default Domain Policy.

The loopback setting basically allows you to add the policy to a computer (your citrix server) and have all USER settings also processed when ANY user logs on.....that means that settings you define aren't linked to the users specifically at all, so they will not get them on their normal desktops, only when they logon to the Citrix server.

Does that make sense...I tend to ramble (hard to proof read something you have writen yourself)

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[porkchopexpress]

It enforces the user settings that are specified in the group policy that applies to your machines so regardless what setting the users usually get on your PC's when thay logon to the citrix server they will get different settings.

e.g.

Computer OU (containing your citrix boxes)

Group Policy
- User Settings (These will override any users policies that the user would usually receive unless you have the merge setting enabled)
- Computer Settings

Give it a try on a test box.

http://technet2.microsoft.com/Windo...975f-4b2f-b771-9e6a903e97db1033.mspx?mfr=true

 

[ncotton]

PCE....you say it so simply..

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[gerbieIT]

Very helpful, thanky you both!!

 

[porkchopexpress]

Even if it was one long rambling unpunctuated sentence

 

[gerbieIT]

ok, so I am not sure What I am doing wrong. I enabled the loopback and set it too merge (I also tried replace), and set up the MY Documents redirection pointing to the users Home directory. I applied the policy to the OU for my Citrix servers. It won't redirect? Anyone have any thoughts to why it won't execute?

Thanks in advance for any help!

 

[pgaliardo]

Event viewer have any errors as to why? Do the users have the appropriate permissions to the share? Can you describe in detail how you set up the group policy?

 

[ncotton]

Best thing to try is test it with a really simple user setting applied and check to see whether the loopback is working.

Something that is easy to spot such as

User Configuration > Adminsitrative Templates > Start Menu and Taskbar :: Remove My Documents menu from Start Menu

Then test to make sure that the user settings are being applied at all.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[gerbieIT]

I looked thorugh the event viewer and didn't see a thing.

For argument sacks I even applied it to the OU the user is and took the loopback off. Didn't make a difference.

I checked the permissions to the share and I even had someone double check me and the verififed.

 

[porkchopexpress]

Where are you trying to redirect the My Documents to is it a network share or a drive letter (mapped drive)?

 

[gerbieIT]

I set it to
\\%homeshare%%homepath%

It should read it from the home directory in AD.

 

[ncotton]

Eliminiate your complexity first and try it on a single test machine, not within citrix.

Also, run the Group Policy Modling Wizzard to make sure your GPO links are being going to be processed correctly.
When running the wizard, from the GPMC left pane, specify the exact single user and on an exact single machine. This will confirm that the policy will be getting applied correctly

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

I have nto tested this script that I just banged out for you but belive this should do the trick.

'==========================================================================
'
' NAME: TSRedirectMyDocs.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' DATE  : 8/13/2006
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
' COMMENT: 
'
'==========================================================================
Set WSHNetwork = CreateObject("WScript.Network")
Set WSHShell = CreateObject("WScript.Shell")
UserString = WSHNetwork.Username
strComputer = WSHNetwork.Computername

Select Case strComputer
	Case "CitrixServer1"
		RedirectHome UserString
	Case "CitrixServer2"
		RedirectHome UserString
        Case Else
                wscript.quit
End Select


Function RedirectHome(UserName)
	Set objUser = GetObject("LDAP://" & SearchDistinguishedName(UserName))
	HomeSharePath = ObjUser.homeDirectory
	Path = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal"
	WSHShell.RegWrite path ,HomeSharepath,"REG_SZ"
End Function


Public Function SearchDistinguishedName(ByVal vSAN)
    ' Function:     SearchDistinguishedName
    ' Description:  Searches the DistinguishedName for a given SamAccountName
    ' Parameters:   ByVal vSAN - The SamAccountName to search
    ' Returns:      The DistinguishedName Name
    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Open "Provider=ADsDSOObject;"
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConnection
    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _
        ">;(&(objectCategory=User)(samAccountName=" & vSAN & "));distinguishedName;subtree"
    Set oRecordSet = oCommand.Execute
    On Error Resume Next
    SearchDistinguishedName = oRecordSet.Fields("DistinguishedName")
    On Error GoTo 0
    oConnection.Close
    Set oRecordSet = Nothing
    Set oCommand = Nothing
    Set oConnection = Nothing
    Set oRootDSE = Nothing
End Function

Add this script as a login script on the domain and apply to all TS/Citrix users. Edit the two Citrix server names to match your server names in the Select Case statement.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript