factorybrazerzkidai.blogg.se - Loopback processing gpo

Minimize the Use of the Block Policy Inheritance Feature.

Minimize the Number of Group Policy Objects Associated with Users or Computers.

Functional versus Geographical OU Structure.

Separate Users and Computers into Different OUs.

Note that this ensures the Computer settings have a higher precedence that the User GPO settings.

The list of Computer GPO settings is added to the end of the User GPO settings.

The GetGPOList function is then called once more with reference to the Computers location in AD.

When a User logs on to a Citrix Published Application or Desktop, for example, the GetGPOList function gathers a list of all the Users GPO settings.

However in the interests of completeness Loopback Policy with Merge functions as follows: Within a Citrix environment context my experience is that this configuration is rarely if ever used.

Finally the Loopback policy with Replace can be linked to an OU higher than the actual OU that contains the XA Server objects.

User GPO settings need to be in a GPO that is targeted at a specific Computer set, which in this case is the XA Servers.

It is noted that there are no User objects in the India XA Server OU and that using Loopback with Replace does apply a controlled set of User GPO settings.

The Loopback policy only needs to be configured once in one GPO.

All the User GPO settings that are also jointly configured in these Computer targeted GPOs are also gathered and applied.

Consequently the GPO settings configured in both will be applied to the Users login experience. One is directly linked and the other is inherited by the XA Servers. In the above example the GPOs CTX_Loopback_Replace_Computer_Setting and CTX_India_User_Computer_settings are targeted at the XA Servers in the India OU context. These GPO settings can be directly linked or inherited.

The GPO engine gathers all the GPOs that are applied specifically to the XA Server in the India OU context where the User is logging into.

When Users login to a Citrix Published Application or Desktop, for example, the Loopback setting configured with Replace apply GPO settings as follows:

This is by far the most overwhelmingly used Loopback policy configuration setting when it comes to Citrix environments. Note that no Loopback policy settings are specifically configured in these particular linked GPO. The GPO’s linked at the respective XA Server OU levels have both Computer and User settings configured. This GPO also coincidentally contains other more general GPO Computer settings.

The Active Directory OU structure is organised as follows:Īs implied in the image the GPO CTX_Loopback_Replace_Computer_Setting has the Loopback Policy with Replace setting configured. When Enabled it can be configured in either Replace or Merge modes.Ī company has offices in London and India and delivers Published Applications and Desktops from both locations with the implementation of Citrix XenApp 7.x. The controlling Loopback setting Configure user Group Policy loopback processing mode is located at Computer Configuration \ Administrative Templates \ System \ Group Policy and can be configured with the use of the Group Policy Management Console (MMC). To more precisely control which GPO settings get applied when the User logs in to a XA Server Published Application or Desktop, Loopback with Replace is most commonly configured. In this case a Loopback GPO setting is more commonly configured to manage the precise application of User and Computer GPO settings when Users login to a Citrix Hosted Shared or VDI Published resource. This is the specific case of the placement of Citrix XA Server OUs where they contain XA Servers only but and do not normally contain User objects.

There are situations where GPOs need to be applied based entirely on the Computer object that the User is logging into and where the User object is in a separate OU. So for example if a target OU holds only User objects then User inherited GPO settings will only be applied accordingly. In general GPOs are only applied directly to Computer and User objects where they reside in their respective AD OUs. So for clarity and hopefully to stimulate a bit of debate what follows is my rendition on this seemingly complex topic.įor illustrative and clarity reasons I have elected to present the finer implementation points of this subject in a specifically developed worked example format. Experience has lead me to believe that Microsoft Active Directory Loopback GPO processing as applied to Citrix environments is one of those areas that is not always entirely understood when implemented.