Create a lockdown GPO for a Terminal or Citrix Server

In the below example I am creating a “lockdown” GPO to restrict user access to the Terminal or Citrix server. This uses the loopback feature of group policy to apply user restrictions to an individual computer.

Step 1 – Create GPO

If you haven’t already I recommend creating a dedicated OU for your Citrix or Terminal servers and linking a group policy to that.

Step 2 – Set Permissions

Edit the permissions of the group policy

Click on the advanced button to edit the permissions.

Apply the GPO to the appropriate group. In this example its “authenticated users” but you can use a dedicated group if required.

The GPO must also be applied to the server. To add the server click on the add button and select the “computers” object type.

Optional – I also like to set a “deny” permission to make sure that this GPO doesn’t apply to administrators (i.e. so you have full access to the server).

Step 3 – Enable Loopback mode

Right click on the GPO and select edit.

You must enable Group Policy loopback processing mode

Step 4 – Apply Restrictions

You can now apply numerous User-level group policy restrictions. These are entirely up to you but below are some restrictions I like to implement:

  1. Allow only access to the printers folder in the control panel

  1. Lockdown the desktop

  1. Numerous Start Menu Restrictions

Obviously there are a lot more settings you can set. Have a look through and have a think what’s appropriate for your environment.


You can see a summary of the settings from this screen.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.