In the below example I am creating a “lockdown” GPO to restrict user access to the Terminal or Citrix server. This uses the loopback feature of group policy to apply user restrictions to an individual computer.
Step 1 Create GPO
If you haven’t already I recommend creating a dedicated OU for your Citrix or Terminal servers and linking a group policy to that.
Step 2 Set Permissions
Edit the permissions of the group policy
Click on the advanced button to edit the permissions.
Apply the GPO to the appropriate group. In this example its “authenticated users” but you can use a dedicated group if required.
The GPO must also be applied to the server. To add the server click on the add button and select the “computers” object type.
Optional I also like to set a “deny” permission to make sure that this GPO doesn’t apply to administrators (i.e. so you have full access to the server).
Step 3 Enable Loopback mode
Right click on the GPO and select edit.
You must enable Group Policy loopback processing mode
Step 4 Apply Restrictions
You can now apply numerous User-level group policy restrictions. These are entirely up to you but below are some restrictions I like to implement:
- Allow only access to the printers folder in the control panel
- Lockdown the desktop
- Numerous Start Menu Restrictions
Obviously there are a lot more settings you can set. Have a look through and have a think what’s appropriate for your environment.
You can see a summary of the settings from this screen.