My Virtual Vision

Because one of our customers was planning to use the Citrix Desktop Appliance Lock, we needed to publish a Citrix desktop and start RES Workspace Manager after the launch of the desktop. While Microsoft has GPO’s for running a program after logging in, Citrix prohibits this.

Upon installation, Citrix adds tabs to the RDP-TCP Listener Properties in the Terminal Services Configuration. By default, the Environment tab has the “Run initial program specified by user profile and Remote Desktop Connection or Terminal Services client” radio button selected. Also, the Citrix Settings tab has “Only allow administrators to create desktop connections” selected.

When leaving this setting default you will get an error message when logging in:

“To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually.”

To correct this you can manually clear the “Only allow administrators to create desktop connections” check box like stated in CTX109925 but you can also create a custom ADM template to clear this check box. The key that’s used for this is:

HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp\fDisableExe

Where 0 is cleared and 1 is checked.

To create a custom ADM file I used the following PDF, the ADM template contained the following information:

;Configure The only allow admins to create desktop connections settings.
CLASS Machine

CATEGORY “Server Based Computing”
CATEGORY “Citrix Presentation Server”
CATEGORY ICA

KEYNAME “SYSTEM\ControlSet001\Control\Terminal Server\WinStations\ICA-tcp”
POLICY !!fDisableExe
EXPLAIN !!ExplainWords
PART “Disable the only allow admins to create desktop connections settings?” TEXT
END PART
PART “Clear the ‘Only allow administrators to create desktop connections’ check box?”
CHECKBOX
VALUENAME “fDisableExe”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END PART
END POLICY

END CATEGORY
END CATEGORY
END CATEGORY

[strings]
fDisableExe=”Allows published desktops for users”
ExplainWords=”This policy enables/disables published desktops with autostart programs for users”

I’ve applied this policy to my Windows 2003 w/ XenApp 5 farm and the check box is cleared and I can start a Citrix published desktop (while using the Desktop Appliance Lock) and start RES Workspace Manager after the desktop launch.  This way I can have the best of both worlds!

I denied the GPO on the Administrator accounts so when somebody with an administrator accounts connects via this Citrix Desktop they won’t get this policy and thus Workspace manager won’t get started.

If you’re using XenApp 6 you can use the following policies:

• ICA\Desktop launches : “Allows or prevents non-administrative users to connect to a desktop session on the server.
  When allowed, non-administrative users can connect. By default, non-administrative users cannot connect to desktop sessions.”
• ICA\Launching of non-published programs during client connection : “Specifies whether to launch initial applications or published applications on the server. By default, only published applications are allowed to launch.”

Your policies should look like the following image: