LinkBack URL
About LinkBacks
Reply With QuoteYou definitely want a separate OU to put your Citrix servers in.
Then you need to link any computer policies to this OU to keep them well away from the other machines, servers, desktops, as you are likely to need some radically different settings.
Your user policies may also need to differ from the normal policies for desktop use by the same set of users, so you can't just link them to the user OUs.
So instead you link them to the OU of servers and use loopback processing with merge (maybe replace, but probably merge makes more sense) so that users get these settings when and only when logging onto a Citrix server. Use security filtering so these don't apply to admin accounts (if that's something you would want to do)
I would tend to keep these in separate policies, and disable the half which is not used.
This means you could (if you need to) un-link each one separately if you need to for troubleshooting, as things can get a bit strange with a TS or Citrix environment, loopback policies and related joys.
Disabling the unused half will make sure that any incorrect entries there are ignored anyway.
You might want to split the policies down further to mirror ones you use for the non-Citrix environment. In particular I tend to to keep applications (especially Office) separate from "user environment" (eg IE, profiles, scripts) and security stuff.
This is partly for clarity, but also I find that the people who know what is needed to customise the user experience in Office to help them get their jobs done efficiently may not be the same person who knows why the firewall needs a particular exception so your antivirus updates work. Of course, you might be both these people!
