My current client is in the process of deploying a new Windows 2003 Active Directory and a Citrix PS4 environment. Requirements for the Citrix environment are:
- They want to use mandatory profiles (if at all possible).
- They wish to use controlled start menus and desktops.
- They want to install all applications on each server.
- They want to publish the desktop to users via WYSE terminals.
- They want to control access to licensed applications.
- License controls should be done via Domain Global or Domain Local groups.
Hmm.
A well known Citrix expert consultancy firm recommended that they use scripts to build a users start menu and desktop based on group membership. Nasty! I like scripts but this would be a pain to own and maintain over time. I first became aware of the Citrix requirements at a progress meeting yesterday. I listened quietly and then I had a what was either a brainwave or a brain fart that evolved a bit.
- A single startmenu and desktop would be hosted on a DFS file share (replicated on the LAN).
- Shortcuts for all applications would be installed in the start menu (and desktop as neccessary).
- Shortcuts for restricted access programs would be permissioned using a suitably named domain group.
- The program folders for the restricted programs would be secured using the same groups.
- Users logging onto the Citrix servers would get the shared start menu and desktop via redirected folders and loopback group policy processing.
- ABE (Access Based Enumeration) would be installed on the hosting machines and configured for the replica shares.
One of the guys gave this a test and it worked. A user with restricted access only downloaded the shortcuts they should have had access to. I was expecting to see loads of USERENV errors in the application log on the server but there were none. It appears to work really nicely. I’m now wondering if we need ABE in this equation. We’ll see how it goes in future testing.