Need Help on Difficult GPO Requirement

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ladies and Gentleman,
I've been trying for the last couple of weeks in my spare time to
accomplish assigning GPO's to restrict and lockdown Drive access,
internet access, and other service and apply an Excel policy to set
general options and lock down other fucntions.

I have a single Domain (Domain1)
Multiple Global Groups in Domain1
File and print server (PFserver.domain1)
Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
application Excel No Desktop.

My problem is this. There is a global group (Budgets) that access
Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
users in the Budgets group I need to highly restrict access to Drive
access, internet access through Excel, mapping network drives and
apply the Excel policy which sets items in the general tab.

What I've done so far which works like gangbusters but affects all the
desk/lap tops even when not in/accessing the Citrix app through the
Citrix Client. Caused a massive load to the call center when they
logged on and couldn't do anything on their local machine.
*******
Created an OU (CITRIXTS) Direct parent is Domain1
Created Policy (CTX-SERVERS) and Added the two citrix servers and the
Budget group as members and configured the (computer policy only)
Linked this GP to Domain1
Created Policy (CTX-Excel ) and added two citrix servers and the
Budget group. Configured the user policy here removing Drive access
though Windows Explorer and My Computer and setting the Excel portions
of the policy.
Linked to Domain1
When both were linked all hell broke loose. The Citrix servers and
Excel was just the way it was supposed to be. But the desk/lap tops
now had all the settings even when not in the Citrix Client.

My goal is to have this group of users to always have the established
domain1 policy when not in/accessing the Citrix Client and have the
full power of the GPO's applied only when using the Citrix Client to
access the Restricted Citrix Environment.

Anyone got a good idea on how to do this?
All help would be greatly appreciated.

Thanks all,
Joe Mowry
Sr. Technical Flunky
Just when the light come on and I start to see things clearly
comes the brownout and the fuse blows.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Joe.

Loopback processing of Group Policy is what you want to look at. What loopback
processing does is to apply user configuration for a GPO in an OU to apply to all
users that logon to computers in that OU in either a merge or replace mode. The users
do not, nor should not reside in the OU where loopback processing is applied. Then
when users logon to computers that are not in an OU where loopback processing is
enabled, they will have normal user configuration applied to their domain user
account. See the link below for more details and how to configure. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

"Joe Mowry" <jmowry@joment.com> wrote in message
news:q4igh097fgqgom20b82r73uqpf2ugg3esb@4ax.com...
>
> Ladies and Gentleman,
> I've been trying for the last couple of weeks in my spare time to
> accomplish assigning GPO's to restrict and lockdown Drive access,
> internet access, and other service and apply an Excel policy to set
> general options and lock down other fucntions.
>
> I have a single Domain (Domain1)
> Multiple Global Groups in Domain1
> File and print server (PFserver.domain1)
> Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
> application Excel No Desktop.
>
> My problem is this. There is a global group (Budgets) that access
> Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
> users in the Budgets group I need to highly restrict access to Drive
> access, internet access through Excel, mapping network drives and
> apply the Excel policy which sets items in the general tab.
>
> What I've done so far which works like gangbusters but affects all the
> desk/lap tops even when not in/accessing the Citrix app through the
> Citrix Client. Caused a massive load to the call center when they
> logged on and couldn't do anything on their local machine.
> *******
> Created an OU (CITRIXTS) Direct parent is Domain1
> Created Policy (CTX-SERVERS) and Added the two citrix servers and the
> Budget group as members and configured the (computer policy only)
> Linked this GP to Domain1
> Created Policy (CTX-Excel ) and added two citrix servers and the
> Budget group. Configured the user policy here removing Drive access
> though Windows Explorer and My Computer and setting the Excel portions
> of the policy.
> Linked to Domain1
> When both were linked all hell broke loose. The Citrix servers and
> Excel was just the way it was supposed to be. But the desk/lap tops
> now had all the settings even when not in the Citrix Client.
>
> My goal is to have this group of users to always have the established
> domain1 policy when not in/accessing the Citrix Client and have the
> full power of the GPO's applied only when using the Citrix Client to
> access the Restricted Citrix Environment.
>
> Anyone got a good idea on how to do this?
> All help would be greatly appreciated.
>
> Thanks all,
> Joe Mowry
> Sr. Technical Flunky
> Just when the light come on and I start to see things clearly
> comes the brownout and the fuse blows.
>
>
>
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Steven,
Thanks for the info. The one sentence in the linked article finally
sank in. The problem is This Windows 2000 domain is in Mixed mode.
And the loopback won't work in this case. Also, some of the computers
are/will still be quite possibly old 95 and 98. So guess I gotta try
something else. Could leave it the way it is. But don't like the idea
that the users can see the system drives.

Thanks for the help Steven,
Joe




On Tue, 10 Aug 2004 04:54:04 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>Hi Joe.
>
>Loopback processing of Group Policy is what you want to look at. What loopback
>processing does is to apply user configuration for a GPO in an OU to apply to all
>users that logon to computers in that OU in either a merge or replace mode. The users
>do not, nor should not reside in the OU where loopback processing is applied. Then
>when users logon to computers that are not in an OU where loopback processing is
>enabled, they will have normal user configuration applied to their domain user
>account. See the link below for more details and how to configure. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
>
>"Joe Mowry" <jmowry@joment.com> wrote in message
>news:q4igh097fgqgom20b82r73uqpf2ugg3esb@4ax.com...
>>
>> Ladies and Gentleman,
>> I've been trying for the last couple of weeks in my spare time to
>> accomplish assigning GPO's to restrict and lockdown Drive access,
>> internet access, and other service and apply an Excel policy to set
>> general options and lock down other fucntions.
>>
>> I have a single Domain (Domain1)
>> Multiple Global Groups in Domain1
>> File and print server (PFserver.domain1)
>> Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
>> application Excel No Desktop.
>>
>> My problem is this. There is a global group (Budgets) that access
>> Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
>> users in the Budgets group I need to highly restrict access to Drive
>> access, internet access through Excel, mapping network drives and
>> apply the Excel policy which sets items in the general tab.
>>
>> What I've done so far which works like gangbusters but affects all the
>> desk/lap tops even when not in/accessing the Citrix app through the
>> Citrix Client. Caused a massive load to the call center when they
>> logged on and couldn't do anything on their local machine.
>> *******
>> Created an OU (CITRIXTS) Direct parent is Domain1
>> Created Policy (CTX-SERVERS) and Added the two citrix servers and the
>> Budget group as members and configured the (computer policy only)
>> Linked this GP to Domain1
>> Created Policy (CTX-Excel ) and added two citrix servers and the
>> Budget group. Configured the user policy here removing Drive access
>> though Windows Explorer and My Computer and setting the Excel portions
>> of the policy.
>> Linked to Domain1
>> When both were linked all hell broke loose. The Citrix servers and
>> Excel was just the way it was supposed to be. But the desk/lap tops
>> now had all the settings even when not in the Citrix Client.
>>
>> My goal is to have this group of users to always have the established
>> domain1 policy when not in/accessing the Citrix Client and have the
>> full power of the GPO's applied only when using the Citrix Client to
>> access the Restricted Citrix Environment.
>>
>> Anyone got a good idea on how to do this?
>> All help would be greatly appreciated.
>>
>> Thanks all,
>> Joe Mowry
>> Sr. Technical Flunky
>> Just when the light come on and I start to see things clearly
>> comes the brownout and the fuse blows.
>>
>>
>>
>>
>>
>>
>>
>

 

[ken]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Do you still have NT4 domain controllers hanging around
on the domain? If not, then you don't need to be in
mixed mode anymore, and that might solve your problem.

Ken

>-----Original Message-----
>Steven,
>Thanks for the info. The one sentence in the linked
article finally
>sank in. The problem is This Windows 2000 domain is in
Mixed mode.
>And the loopback won't work in this case. Also, some of
the computers
>are/will still be quite possibly old 95 and 98. So
guess I gotta try
>something else. Could leave it the way it is. But don't
like the idea
>that the users can see the system drives.
>
>Thanks for the help Steven,
>Joe
>
>On Tue, 10 Aug 2004 04:54:04 GMT, "Steven L Umbach"
><n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>Hi Joe.
>>
>>Loopback processing of Group Policy is what you want to
look at. What loopback
>>processing does is to apply user configuration for a
GPO in an OU to apply to all
>>users that logon to computers in that OU in either a
merge or replace mode. The users
>>do not, nor should not reside in the OU where loopback
processing is applied. Then
>>when users logon to computers that are not in an OU
where loopback processing is
>>enabled, they will have normal user configuration
applied to their domain user
>>account. See the link below for more details and how to
configure. --- Steve
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-
us;231287
>>
>>"Joe Mowry" <jmowry@joment.com> wrote in message
>>news:q4igh097fgqgom20b82r73uqpf2ugg3esb@4ax.com...
>>>
>>> Ladies and Gentleman,
>>> I've been trying for the last couple of weeks in my
spare time to
>>> accomplish assigning GPO's to restrict and lockdown
Drive access,
>>> internet access, and other service and apply an
Excel policy to set
>>> general options and lock down other fucntions.
>>>
>>> I have a single Domain (Domain1)
>>> Multiple Global Groups in Domain1
>>> File and print server (PFserver.domain1)
>>> Citrix Servers Citrix1.domain1 and Citrix2.domain1
Single Published
>>> application Excel No Desktop.
>>>
>>> My problem is this. There is a global group
(Budgets) that access
>>> Citrix1 and2 .domain1 to run Excel. During the Citrix
access by the
>>> users in the Budgets group I need to highly restrict
access to Drive
>>> access, internet access through Excel, mapping
network drives and
>>> apply the Excel policy which sets items in the
general tab.
>>>
>>> What I've done so far which works like gangbusters
but affects all the
>>> desk/lap tops even when not in/accessing the Citrix
app through the
>>> Citrix Client. Caused a massive load to the call
center when they
>>> logged on and couldn't do anything on their local
machine.
>>> *******
>>> Created an OU (CITRIXTS) Direct parent is Domain1
>>> Created Policy (CTX-SERVERS) and Added the two
citrix servers and the
>>> Budget group as members and configured the (computer
policy only)
>>> Linked this GP to Domain1
>>> Created Policy (CTX-Excel ) and added two citrix
servers and the
>>> Budget group. Configured the user policy here
removing Drive access
>>> though Windows Explorer and My Computer and setting
the Excel portions
>>> of the policy.
>>> Linked to Domain1
>>> When both were linked all hell broke loose. The
Citrix servers and
>>> Excel was just the way it was supposed to be. But the
desk/lap tops
>>> now had all the settings even when not in the Citrix
Client.
>>>
>>> My goal is to have this group of users to always have
the established
>>> domain1 policy when not in/accessing the Citrix
Client and have the
>>> full power of the GPO's applied only when using the
Citrix Client to
>>> access the Restricted Citrix Environment.
>>>
>>> Anyone got a good idea on how to do this?
>>> All help would be greatly appreciated.
>>>
>>> Thanks all,
>>> Joe Mowry
>>> Sr. Technical Flunky
>>> Just when the light come on and I start to see things
clearly
>>> comes the brownout and the fuse blows.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Joe.

I believe that it can work in mixed mode - at least partially for users on W2K
computers. The article refers to a pure W2K environment which means that the user
account and computer account must exist on a W2K domain controller. Mixed mode means
that you can still have NT4.0 BDC's on your domain. You can have downlevel domain
members in a W2K native domain - just no NT4.0 BDC. You might also want to post in
the win2000.terminalservices newsgroup for best way to handle W9X computer users in
your configuration. --- Steve


"Joe Mowry" <jmowry@joment.com> wrote in message
news:r8tgh0ptmurasmqgqv74oluhscm5hibruh@4ax.com...
> Steven,
> Thanks for the info. The one sentence in the linked article finally
> sank in. The problem is This Windows 2000 domain is in Mixed mode.
> And the loopback won't work in this case. Also, some of the computers
> are/will still be quite possibly old 95 and 98. So guess I gotta try
> something else. Could leave it the way it is. But don't like the idea
> that the users can see the system drives.
>
> Thanks for the help Steven,
> Joe
>
>
>
>
> On Tue, 10 Aug 2004 04:54:04 GMT, "Steven L Umbach"
> <n9rou@n0-spam-for-me-comcast.net> wrote:
>
> >Hi Joe.
> >
> >Loopback processing of Group Policy is what you want to look at. What loopback
> >processing does is to apply user configuration for a GPO in an OU to apply to all
> >users that logon to computers in that OU in either a merge or replace mode. The
users
> >do not, nor should not reside in the OU where loopback processing is applied. Then
> >when users logon to computers that are not in an OU where loopback processing is
> >enabled, they will have normal user configuration applied to their domain user
> >account. See the link below for more details and how to configure. --- Steve
> >
> >http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
> >
> >"Joe Mowry" <jmowry@joment.com> wrote in message
> >news:q4igh097fgqgom20b82r73uqpf2ugg3esb@4ax.com...
> >>
> >> Ladies and Gentleman,
> >> I've been trying for the last couple of weeks in my spare time to
> >> accomplish assigning GPO's to restrict and lockdown Drive access,
> >> internet access, and other service and apply an Excel policy to set
> >> general options and lock down other fucntions.
> >>
> >> I have a single Domain (Domain1)
> >> Multiple Global Groups in Domain1
> >> File and print server (PFserver.domain1)
> >> Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
> >> application Excel No Desktop.
> >>
> >> My problem is this. There is a global group (Budgets) that access
> >> Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
> >> users in the Budgets group I need to highly restrict access to Drive
> >> access, internet access through Excel, mapping network drives and
> >> apply the Excel policy which sets items in the general tab.
> >>
> >> What I've done so far which works like gangbusters but affects all the
> >> desk/lap tops even when not in/accessing the Citrix app through the
> >> Citrix Client. Caused a massive load to the call center when they
> >> logged on and couldn't do anything on their local machine.
> >> *******
> >> Created an OU (CITRIXTS) Direct parent is Domain1
> >> Created Policy (CTX-SERVERS) and Added the two citrix servers and the
> >> Budget group as members and configured the (computer policy only)
> >> Linked this GP to Domain1
> >> Created Policy (CTX-Excel ) and added two citrix servers and the
> >> Budget group. Configured the user policy here removing Drive access
> >> though Windows Explorer and My Computer and setting the Excel portions
> >> of the policy.
> >> Linked to Domain1
> >> When both were linked all hell broke loose. The Citrix servers and
> >> Excel was just the way it was supposed to be. But the desk/lap tops
> >> now had all the settings even when not in the Citrix Client.
> >>
> >> My goal is to have this group of users to always have the established
> >> domain1 policy when not in/accessing the Citrix Client and have the
> >> full power of the GPO's applied only when using the Citrix Client to
> >> access the Restricted Citrix Environment.
> >>
> >> Anyone got a good idea on how to do this?
> >> All help would be greatly appreciated.
> >>
> >> Thanks all,
> >> Joe Mowry
> >> Sr. Technical Flunky
> >> Just when the light come on and I start to see things clearly
> >> comes the brownout and the fuse blows.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Steven, Ken,
Still SOL on this one. I still have NT4.0 (SP6) BDC'S 7 to be exact.
Plans are completed to upgrade these 7 but its stretched out from now
till the middle of next year. If it were just the OS Upgrade Could
probably do it by year end. But the hardware is at end of life too, so
plan is to do both at the same time.

You guys have been great. Thanks for all the help. Too, I'll post
questions also in the other news group.

Joe

On Tue, 10 Aug 2004 17:06:31 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>Hi Joe.
>
>I believe that it can work in mixed mode - at least partially for users on W2K
>computers. The article refers to a pure W2K environment which means that the user
>account and computer account must exist on a W2K domain controller. Mixed mode means
>that you can still have NT4.0 BDC's on your domain. You can have downlevel domain
>members in a W2K native domain - just no NT4.0 BDC. You might also want to post in
>the win2000.terminalservices newsgroup for best way to handle W9X computer users in
>your configuration. --- Steve
>
>
>"Joe Mowry" <jmowry@joment.com> wrote in message
>news:r8tgh0ptmurasmqgqv74oluhscm5hibruh@4ax.com...
>> Steven,
>> Thanks for the info. The one sentence in the linked article finally
>> sank in. The problem is This Windows 2000 domain is in Mixed mode.
>> And the loopback won't work in this case. Also, some of the computers
>> are/will still be quite possibly old 95 and 98. So guess I gotta try
>> something else. Could leave it the way it is. But don't like the idea
>> that the users can see the system drives.
>>
>> Thanks for the help Steven,
>> Joe
>>
>>
>>
>>
>> On Tue, 10 Aug 2004 04:54:04 GMT, "Steven L Umbach"
>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>> >Hi Joe.
>> >
>> >Loopback processing of Group Policy is what you want to look at. What loopback
>> >processing does is to apply user configuration for a GPO in an OU to apply to all
>> >users that logon to computers in that OU in either a merge or replace mode. The
>users
>> >do not, nor should not reside in the OU where loopback processing is applied. Then
>> >when users logon to computers that are not in an OU where loopback processing is
>> >enabled, they will have normal user configuration applied to their domain user
>> >account. See the link below for more details and how to configure. --- Steve
>> >
>> >http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
>> >
>> >"Joe Mowry" <jmowry@joment.com> wrote in message
>> >news:q4igh097fgqgom20b82r73uqpf2ugg3esb@4ax.com...
>> >>
>> >> Ladies and Gentleman,
>> >> I've been trying for the last couple of weeks in my spare time to
>> >> accomplish assigning GPO's to restrict and lockdown Drive access,
>> >> internet access, and other service and apply an Excel policy to set
>> >> general options and lock down other fucntions.
>> >>
>> >> I have a single Domain (Domain1)
>> >> Multiple Global Groups in Domain1
>> >> File and print server (PFserver.domain1)
>> >> Citrix Servers Citrix1.domain1 and Citrix2.domain1 Single Published
>> >> application Excel No Desktop.
>> >>
>> >> My problem is this. There is a global group (Budgets) that access
>> >> Citrix1 and2 .domain1 to run Excel. During the Citrix access by the
>> >> users in the Budgets group I need to highly restrict access to Drive
>> >> access, internet access through Excel, mapping network drives and
>> >> apply the Excel policy which sets items in the general tab.
>> >>
>> >> What I've done so far which works like gangbusters but affects all the
>> >> desk/lap tops even when not in/accessing the Citrix app through the
>> >> Citrix Client. Caused a massive load to the call center when they
>> >> logged on and couldn't do anything on their local machine.
>> >> *******
>> >> Created an OU (CITRIXTS) Direct parent is Domain1
>> >> Created Policy (CTX-SERVERS) and Added the two citrix servers and the
>> >> Budget group as members and configured the (computer policy only)
>> >> Linked this GP to Domain1
>> >> Created Policy (CTX-Excel ) and added two citrix servers and the
>> >> Budget group. Configured the user policy here removing Drive access
>> >> though Windows Explorer and My Computer and setting the Excel portions
>> >> of the policy.
>> >> Linked to Domain1
>> >> When both were linked all hell broke loose. The Citrix servers and
>> >> Excel was just the way it was supposed to be. But the desk/lap tops
>> >> now had all the settings even when not in the Citrix Client.
>> >>
>> >> My goal is to have this group of users to always have the established
>> >> domain1 policy when not in/accessing the Citrix Client and have the
>> >> full power of the GPO's applied only when using the Citrix Client to
>> >> access the Restricted Citrix Environment.
>> >>
>> >> Anyone got a good idea on how to do this?
>> >> All help would be greatly appreciated.
>> >>
>> >> Thanks all,
>> >> Joe Mowry
>> >> Sr. Technical Flunky
>> >> Just when the light come on and I start to see things clearly
>> >> comes the brownout and the fuse blows.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>>
>