Issue with winning GPO that does not get applied


  • Hi

    Let me just begin by saying sorry if this issue has been adressed before. I've searched this forum countless times and not found a solution to my problem.

    Here's the scenario;

    We have a citrix XenApp 6.5 farm where we through ICA connections couple up thin clients with Wyse to our farm. The thin clients are connected to the an application called "Desktop". This is simply the servers desktop shared to users.
    This is installed on Win1008R2 servers, all of it

    We control the users permissions through GPO's, the standard stuff such as folder redirect, whats available for the user, etc.
    Also we control how long sessions can be disconnected before they're forcibly logged off. Printer connections, drivers etc.

    For most users our baseline policy is fine but there is one specific account that multiple users share that is problematic.
    They don't want this account to be able to use the logoff button while in the "Desktop".
    In the original baseline policy the "Add logoff to start menu" was configured as enabled. I disabled it and then moved those settings to a complimentary policy that i applied to my test account only.
    To keep it simple i called that GPO "baseline_no_logoff"

    I get this policy to be the winning policy and it actually works on a normal win7 desktop.
    It does not, however, work on the shared servers desktop application. The policy is still the winning policy, it has a "better" priority compared to the baseline. Everything looks good when running the modelling tool, results tool and running the results from the affected account itself.
    But the logoff option is still there!

    Its becoming quite infuriating :-)

    I'm not sure this matters much but eventhough our entire citrix-farm are run on 2008R2 servers our AD is only at win2003 functionality level. This is because we have an onsite DC thats 2003 server while our primary offsite DC's are 2008R2.

    Seeing as "Desktop" is simply a shared windows desktop and thoroughly controlled through GPO already i'm thinking this query belongs here rather than at a citrix forum.

    I could be wrong ofcourse, wouldn't be the first time. Still, you guys seem to be a good place to start! :-)

    I'd be extremely grateful for anything that can help and if i missed out any vital information please let me know and i'll provide whatever you need

    Best Regards,

    Monday, July 6, 2015 12:23 PM

All replies