0

The title might not do my issue any justice, so here goes;

Anytime a new user opens an Excel instance, a small dialog pops up asking them to accept the licensing and update terms:

enter image description here

The user's first instinct is to click the X button on this dialog, however this closes the whole Excel instance. Excel and some client software are hosted on a Windows Virtual Machine, and the users connect to it through Citrix VDA. Clicking the X button on the "Opt-In" wizard just closes the whole excel instance. So, to alleviate this, I've found the Office 16/19 ADML/ADMX files.

After loading these into my Domain Controller, I was able to set a policy that Disables this Opt-In Wizard on First Run:

enter image description here

However, machines that have this policy applied just refuse to pull it through GPO. I've tried gpupdate, gpupdate /force, logging off, rebooting the machine, to no avail.

This is User Setting, however when I run gpresult /r on the target servers, I do not see it applying.

enter image description here

It does seem to apply to the core Citrix machine that holds Citrix Studio and Director and such, but Excel is not installed on this machine.

I can't for the life of me figure out why the machines won't pull that policy, as they pull pretty much everything else with no problems. Am I missing something with these Office ADMX files?

EDIT: This might now be out of the original scope of the question, but it seems that Citrix host machines are not even getting our All Servers Policy, every Citrix Host machine shows that same "Local Group Policy" under User Settings. It seems they're just.. not pulling anything? Am I looking too closely at this, when there might be a broader issue?

nightsurfer
  • 101
  • 4
  • Maybe it's worthwhile to check the output of gpresult and update your question with it? – vic May 28 '19 at 19:43
  • Ah of course, my bad @vic, updating now – nightsurfer May 28 '19 at 19:46
  • You mention Citrix. Is Excel being run on a remote desktop server? If so, do the GP settings affect *that* computer? – I say Reinstate Monica May 28 '19 at 19:54
  • @TwistyImpersonator The setup is a little strange, an Azure virtual machine hosts Excel and client software, and the client connects to it through Citrix. My wording was a little off, I will amend the question. I will also see about applying the policy to a machine not running Citrix though. – nightsurfer May 28 '19 at 19:59
  • Confirming the policy does not seem to apply to machines not running Citrix. – nightsurfer May 28 '19 at 20:06
  • Are the settings in the GPO computer settings or user settings? Where is the GPO linked? Are you using Security Filtering on the GPO? – joeqwerty May 28 '19 at 23:09
  • @joeqwerty So, the GPO is a User Setting, I've updated my post with a screenshot. I realize I was limiting my gpreuslt scope to COMPUTER, while this GPO is User Settings. The GPO is linked from the primary DC to the machines that need it, and no, I am not using Security Filtering. I am adding a comment to Twisty's answer that might clarify a bit. – nightsurfer May 29 '19 at 14:30
  • Ohho @joeqwerty I added each of the client Citrix groups as part of the security filtering to the Excel Fixes policy, and it now seems to be pulling the policy proper! I can't imagine why that's fixed it, but make it an answer and I'll give you the credit. – nightsurfer May 29 '19 at 14:55

1 Answers1

0

Group policy settings must be applied to the computer where Excel is executed. In the case of a client workstation running Excel on a remote server, such as a Citrix server, group policy must be applied to that remote server, not the workstation initiating the remote connection.

Once you get group policy to apply to that remote server your setting will have the intended effect.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
  • While you are correct, I should still see the actual policy (in this case titled Citrix - Excel Fixes) applied when I type gpresult /r, no? – nightsurfer May 28 '19 at 21:38
  • Not necessarily. That command will only show the policy settings if the policy has been applied to the correct machine *and* you run it from the correct machine. – I say Reinstate Monica May 28 '19 at 22:39
  • Alright, so now that I've applied the Citrix Excel Fixes policy to the Citrix host server, I do see it under `Applied Group Policy Objects` under User Settings after running a `gpresult /r`. However, I'm still confused: Excel is not installed on the Citrix core server, rather on the individual VMs that talk back to the core. I'll test it out, but still seems odd. EDIT: Tested, and modified the original post. This didn't work. – nightsurfer May 29 '19 at 14:31
  • Oh dear. It seems your original post didn't fully describe your environment. I won't update my answer until we're sure we're on the same page. This is a USER group policy setting. It needs to apply to the AD user objects for the users logging into the individual VMs. You need to apply the GPO with this setting to the OU that contains the user objects. – I say Reinstate Monica May 29 '19 at 14:37
  • Sorry for the confusion, original post is modified now, hopefully that's got some more detail. Thank you for your help, and your patience so far. This stuff is never easy... – nightsurfer May 29 '19 at 14:38
  • Joeqwerty's question about Security Filtering led me to add change the scope to include all Citrix user groups that we have, and now the policy seems to be pulling proper. Thanks for all your help though! – nightsurfer May 29 '19 at 14:56
  • 1
    If you had to *add* that security group to the GPO's security filtering, then you have non-standard settings in place. By default, GPOs grant Read and Apply Policy permissions to the Authenticated Users group, which by default includes your Citrix users. – I say Reinstate Monica May 29 '19 at 16:03