Anonymous Group Policy Control

If you have to use anonymous users accessing your Citrix Farm ,but still want to manage user settings with a Group Policy then the following is something that might be of interest.

Anonymous users will not process the user portion of Group policy (GPO) as they are not members of the domain. This wil mean all the nice group policy setting on the user configuration that you have will be in vain for these anonymous users and they will likely get access the controls that you dont want them to get.

In order to workaround this situation what i performed was the following.

Created a Seperate OU for servers that will deliver applications to anonymous users
I copied the standard INETRES.ADM to INETRES_CUSTOM.ADM
I then removed the entries under CLASS MACHINE, I then renamed the CLASS USER to CLASS MACHINE
I then added this new ADM to the GPO
Now all the usual User configurations are shown on the Computer Configuration and will apply to anonymous users.

Note : the downside to this technique is that the policy will apply to admin accounts when they logon to computer in that OU. I aim to get around that with a WMI filter to check for RDP connections and not apply the policy. I will report back if that works or not.

Note : I tired to simply rename the USER to MACHINE sections inside the ADM so that i would have all USER and MACHINE settings under MACHINE but the problem is there is alot of duplicates and these give an error when you import the ADM template into GPO. If you have the patience you could remove all the duplicates.