sierrapeac
MIS
I know that users can see the administrative tools and Metaframe tools from the Program Menu in a Citrix session. Is there a way to remove that from their program menu? Or is that not a good idea? Thanks... I am still new at this..
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Metaframe tools and administrative Tools 1
- Thread starter sierrapeac
- Start date
- Status
-
1
- #2
CitrixEngineer
Technical User
It's not a good idea to have users seeing the tools, whether they can use them or not, IMO.
I usually edit the default desktop and start menu, and point users at it via a policy.
One of my neatest methods was to create folders named after the user groups and store these in the user profiles directory on a file server.
These folders were simply copies of a user profile. I then edited the Start Menu and desktop folders, removing applications I wanted the group to have, and adding ones peculiar to each group.
This made rolling out new applications a breeze - simply install the app to all users, then copy the shortcut to the relevant group's desktop and start menu folder.
I put lines in the policy for each group to point at this location.
I hope this is clear - post back if you need further info!
I usually edit the default desktop and start menu, and point users at it via a policy.
One of my neatest methods was to create folders named after the user groups and store these in the user profiles directory on a file server.
These folders were simply copies of a user profile. I then edited the Start Menu and desktop folders, removing applications I wanted the group to have, and adding ones peculiar to each group.
This made rolling out new applications a breeze - simply install the app to all users, then copy the shortcut to the relevant group's desktop and start menu folder.
I put lines in the policy for each group to point at this location.
I hope this is clear - post back if you need further info!
- Thread starter
- #3
sierrapeac
MIS
I know this is a dumb question but I am still learning.. How do I set up the policy?
CitrixEngineer
Technical User
You've got a test server, right?
OK, get one ;-)
Policies are really good, once you've got them working. You need to play with them to see what happens, and decide a policy strategy for your users. One misplaced click, and you can seriously annoy a whole lot of users.
In your production environment, you'll want to set up a policy that covers all your groups of MetaFrame users. This means using Poledit to edit the ntconfig.pol stored on your PDC. (%systemroot%\system32\export\scripts\repl, IF my memory serves me right - I'm working in a W2k environment today, so can't check).
In your test environment, just use the local poledit to create a new ntconfig.pol in the same location on the test server. If it's in the wrong location, it won't apply.
When you create a new policy, there will be 2 icons. 1 for Computer, and the other for User.
I would suggest ignoring these completely - NEVER update the computer policy, unless you really want to, since it affects everyone who logs on to that computer, and the user policy affects the default user template - everyone who logs in....
Click the Add Group icon, and browse for a group that you've created on the machine. I wouldn't add a Global group until you've seen the effects of applying various policies.
The biggest drawback is that you cannot print out your policies once you've created them, so you'll need to document the lot by hand - unless anyone knows different.
Test each policy addition you make. This is the time consuming bit - especially in the production environment, where you'll need to wait for replication to take place before seeing the results of your newly applied policy.
What is happening is that each click you make in poledit represents a change to the ntuser.dat for each user in that group, so if the user is logged in, they won't see the changes immediately.
Poledit.exe is typically in %systemroot%\WINNT (or WTSRV), but you should find an icon for it in Administrative Tools.
Check out for additional policy templates for locking down IE5 and other apps, and get hold of zakwinnt.adm. This Zero Admin Kit template will allow such things as hiding drives from the users.
Good luck!
OK, get one ;-)
Policies are really good, once you've got them working. You need to play with them to see what happens, and decide a policy strategy for your users. One misplaced click, and you can seriously annoy a whole lot of users.
In your production environment, you'll want to set up a policy that covers all your groups of MetaFrame users. This means using Poledit to edit the ntconfig.pol stored on your PDC. (%systemroot%\system32\export\scripts\repl, IF my memory serves me right - I'm working in a W2k environment today, so can't check).
In your test environment, just use the local poledit to create a new ntconfig.pol in the same location on the test server. If it's in the wrong location, it won't apply.
When you create a new policy, there will be 2 icons. 1 for Computer, and the other for User.
I would suggest ignoring these completely - NEVER update the computer policy, unless you really want to, since it affects everyone who logs on to that computer, and the user policy affects the default user template - everyone who logs in....
Click the Add Group icon, and browse for a group that you've created on the machine. I wouldn't add a Global group until you've seen the effects of applying various policies.
The biggest drawback is that you cannot print out your policies once you've created them, so you'll need to document the lot by hand - unless anyone knows different.
Test each policy addition you make. This is the time consuming bit - especially in the production environment, where you'll need to wait for replication to take place before seeing the results of your newly applied policy.
What is happening is that each click you make in poledit represents a change to the ntuser.dat for each user in that group, so if the user is logged in, they won't see the changes immediately.
Poledit.exe is typically in %systemroot%\WINNT (or WTSRV), but you should find an icon for it in Administrative Tools.
Check out for additional policy templates for locking down IE5 and other apps, and get hold of zakwinnt.adm. This Zero Admin Kit template will allow such things as hiding drives from the users.
Good luck!
- Status
Similar threads
- Locked
- Question