Hi Stephen,
LoopBack processing should do the trick. Basically
it says "Apply the policies using the user's Group membership as if he was a
member of the OU that the Citrix server belongs to". You can use Merge (apply
the settings the user would normally get, followed by the ones they would get if
in the Citrix machine's OU) or Replace (only apply the settings the user would
get if they were in the Citrix machine's OU)
I have no experience about your comment "Cross
forest GPO's only work when both domains are W2K3" but if it is correct,
it sounds as if the GPO's held in the User's domain would not apply. This
may stop "Merge" from working, but "Replace" may still work since the GPO's are
held in the Citrix domains. I would therefore try the following:-
1. Create the restrictive policy in the Citrix
OU
2. Enable loopback with replace
3. Add the Administrators to the Policy and
give them Deny Apply
You could try merge in Step 2 and see if it picks
up their normal policies as well
Should work. Tell us what
happens.
Alan Cuthbertson
Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml
ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml
----- Original Message -----
|
Re: [ActiveDir] Cross forest policies - boxes in Win2k domain, users in win2k3 s ingle domain forest
Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest
- [ActiveDir] Cross forest policies - boxes in Win2k d... Wilkinson, Stephen
- RE: [ActiveDir] Cross forest policies - boxes i... SysPro Support
- RE: [ActiveDir] Cross forest policies - box... Ulf B. Simon-Weidner