Windows 2008 Policy Settings for a Citrix Server

Lately I have been setting up a few Citrix XenApp Servers using Windows 2008 R2. I was surprised to learn that some of the things I took for granted in 2003 policy are not available in 2008 R2 and I needed to either create registry hacks or file policies. So I thought I would take some time to document some of these setup procedures.

Windows Explorer

In the left hand pane of Windows explorer I wanted to remove the Favorites, Libraries and Network folders. To do this you first need to navigate to the ShellFolder keys below and grant Full permissions to the Administrators group. You will then be able to adjust the Attributes DWORD value to the values below.

Favorites:

HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder

Set Full Permissions to Administrators on the ShellFolder

Change Attributes DWORD value:

  • Original: a0900100
  • New Value: a9400100

Libraries:

HKEY_CLASSES_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder

Set Full Permissions to Administrators on the ShellFolder

Change Attributes DWORD value:

  • Original: b080010d
  • New Value: b090010d

Network:

HKEY_CLASSES_ROOTCLSID{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}ShellFolder

Set Full Permissions to Administrators on the ShellFolder

Change Attributes DWORD value:

  • Original: b0040064
  • New Value: b0940064

Administrative Tools

To remove access to Administrative Tools I added the following registry settings to my Citrix Group Policy under:

User Configuration → Preferences → Windows Settings → Registry (Right-click, New, Registry Item)

Start Menu Administrative Tools:

  • General
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
  • Value Name: StartMenuAdminTools
  • Value Type: REG_DWORD
  • Value Data: 00000000
  • Base: Hexadecimal
  • Common
  • (Select) Run in logged-on user’s security context (user policy option)

Start Menu Administrative Tools (Root level):

  • General
  • Action: Replace
  • Hive: HKEY_CURRENT_USER
  • Key Path: SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
  • Value Name: Start_AdminToolsRoot
  • Value Type: REG_DWORD
  • Value Data: 00000000
  • Base: Hexadecimal
  • Common
  • (Select) Run in logged-on user’s security context (user policy option)

Server Manager and Power Shell

When a user profile is created it creates links to the power shell and server manager and places them in the Quicktray. To remove this functionality we are going to deny permissions for normal users to these files.

Computer Configuration → Policies → Windows Settings → Security Settings → File System (Right click, Add File)

Windows Power Shell

  • Select the path below (you may need to show hidden files in your explorer preferences)
  • Remove Users from the security settings
C:ProgramDataMicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShellWindows PowerShell

Server Manager

  • Select the path below (you may need to show hidden files in your explorer preferences)
  • Remove Users from the security settings
C:ProgramDataMicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager

2 comments

  1. Thanks for posting. I just tried on Windows 2008 R2 SP1 and it didn’t work. Do you know if the values are different for SP1?

    Thanks,
    K

Leave a Reply

Your email address will not be published. Required fields are marked *