Loopback Group Policy for Terminal Server Users

In Windows 2000 Microsoft enhanced the system policy concept that already existed in Windows NT and developed Group Policy. A Group Policy object is a collection of settings assigned to a particular group of computers or users. A full discussion on GPO’s is far beyond the scope of this document and I will only focus on the specifics relevant to Microsoft Terminal Services and Citrix Metaframe users.

In my implementations I always dedicate an Organization Unit (OU) in Active Directory to my Terminal Servers or Metaframe Servers. For the sake of this article I will assume the same. Further, I will assume that you want to be able to set policies on the terminal servers, and to the users to log onto them.

Now, there are two parts to any Group Policy Object (GPO), User Configuration and Computer Configuration. If you assign a GPO to an OU, then the Computer Configuration will apply to the computer accounts under the OU, and the User configuration will apply to the user accounts under the OU.

Great you say! Oops, one little problem. Normally you have a User OU (or many user OU’s) with all your user accounts under them. How should you then configure the GPO that applies to those users? Think about it. Your users will probably want to logon to normal desktop PCs as well as to Terminal Servers or Citrix servers, and you will probably want them to have different policy settings in each environment. For example, it is reasonable for somebody to be able to shut down their desktop PC during the end of the day, but think of users shutting down your Metaframe farm! Woe, unhappiness.

The solution then? Microsoft have allowed for this and introduced the concept of Loopback Processing for User GPO’s when logging onto a server that it is applied to. Put simply, you can create a normal GPO object, apply it to your Terminal Server OU, configure up the User portion of the policy and have it apply to some or all users that log onto servers in that OU. Huzzah!

The information in this article applies to

  • Citrix Metaframe Presentation Server in an Active Directory Forest
  • Windows Terminal Servers in an Active Directory Forest
  • Windows GPO’s (Group Policy Objects)

Implementation

Personally, I usually create two, one for the Computers and one for Users. I typically name these something like CitrixServers and CitrixUsers. the goal in this example will be to have all computer configuration carried out in the CitrixServers GPO and the user configuration in the CitrixUsers GPO. Furthermore, we will configure the CitrixUsers GPO so that it does not run for administrators and lock down their administrative ability.

Run up AD Users and Computers, and create two new GPOs under your Terminal Server or Citrix Server OU; one for computers and one for users. View the properties of the user GPO and DENY Domain Admins the right to apply the policy. That way, only non-admin users will have their settings altered and locked down.

Edit and configure the server GPO. Remember to only configure the Computer Configuration Component. If you like, you can disable the User Configuration part of the GPO for faster processing.

Edit and configure the user GPO with all the user settings you want to apply. Now for the magic. In the Computer Configuration part of the policy expand Administrative Templates then System. Under the Group Policy container is a setting called User Group Policy loopback processing mode. Enable it and set the Mode to either Merge or Replace. Use Merge if you are likely to have settings from other GPO’s that you will want to inherit. Normally I would use Replace.

That’s it! That one little setting in the Computer Configuration portion of the user policy is the key. Now to lock that baby down… but that is another article entirely…