Automation & Troubleshooting of Citrix Group Policy

for XenApp & XenDesktop 7.x

Architecture using Windows PowerShell

Peter Brown
Senior Escalation Engineer
May 2015

v2 March © 2015 Citrix

Agenda
Citrix Group Policy Architecture
Recommended Practices
Troubleshooting Tools
Citrix Group Policy PowerShell Module
Managing with PowerShell
Troubleshooting with PowerShell

© 2015 Citrix
Citrix Group Policy Architecture
Overview of Citrix Group Policy and Components

© 2015 Citrix | Confidential

Terminology

Local Group Policies

Citrix Site Policies
Active Directory Policies

© 2015 Citrix
Processing & Precedence of RSOP

CDM = Enabled Active Directory OU GPO

RSOP will have Active Directory Domain GPO

Precedence
Active Directory Site GPO

Citrix Site Policies

CDM = Disabled Local Policies

© 2015 Citrix
Policy Filters / Object Assignments

Allows granular control of Citrix policies

Filters policy settings based on certain
criteria
Different options based on the policy
type
Can’t be applied to the default Unfiltered
policy
© 2015 Citrix
Unfiltered Policy & Templates

Default Unfiltered policy (no settings)

Applies to all objects
Can be disabled if not needed
(Set to lowest priority)
Pre-configured policy templates
Created for various criteria
Policies created can be saved as templates

© 2015 Citrix
Citrix Group Policy Client Side Extension

Also referred to as Citrix CSE (CitrixCseClient.dll)

Loaded via Microsoft Winlogon process
Generates policy requests (Computer/User)
Retrieves values to determine policy filter calculation
Forwards policy requests to Citrix Caching Service

© 2015 Citrix
Citrix Group Policy Caching Service

Citrix Group Policy Engine service (CitrixCseEngine), part of

Citrix CSE
Performs the Citrix policy calculation and writes settings to
the registry
Caches Group Policy files between calculations

© 2015 Citrix
Citrix Group Policy Data Files

Per-Computer and Per-User resultant Citrix policy settings

end up in separate RSOP.gpf files
Each RSOP.gpf file is used to create policy registry settings under:

Per-Computer → HKLM\Software\Policies\Citrix
Per-User → HKLM\Software\Policies\Citrix\<SessionID>\User

© 2015 Citrix
Citrix Group Policy Update Intervals

For Citrix Site policies setup via Studio:

Policies for Computer and Users (logged in) refresh every 90 minutes

For Citrix Policies set via AD GPO:

Leverage AD refresh interval (default is 90 minutes +\- a random offset of 0-30 minutes)
Refresh interval can be customized & set via AD GPO

For either method:

Computer Policies update at machine startup
User Policies update during a reconnect to an active or disconnected session
Policies can be updated manually by running: gpupdate /force

© 2015 Citrix
User Policy Application (Similar for Computer Startup)
Client Side
WinLogon
Extensions
Resultant
Resultant
Policy
Policy
AD
AD
GPO
GPO RSOP.GPF
RSOP.GPF

Microsoft
Citrix CSE
Precedence CSE
Site
Site
GPO
GPO
Citrix CSE
Local
Local
server
server
Order Registry
Registry

Local
Local HKLM\Software\Polices\Citrix\ (For Server)
GPO
GPO -or-
HKLM\Software\Polices\Citrix\<SessionID>\User

© 2015 Citrix
Citrix Group Policy Management Console

Citrix GPMC - A connector into the Microsoft GPMC

(CitrixGPMCConnector.dll)
Management of Citrix group policies through Studio or GPMC
Allows for Citrix policy modeling/comparison
Can be installed separately for standalone use

© 2015 Citrix
Citrix Group Policy Management - Studio vs. PowerShell

Studio
Single Policy Node
Object assignments shown
depend on policies settings
configured

PowerShell & AD GPOs

Divided into Computer &
User policy types

© 2015 Citrix
Recommended Practices - Tips
Based on Citrix Support cases

15

© 2015 Citrix | Confidential

Policy Architecture

Using both Site and AD policies may cause confusion

when troubleshooting issues
Use one location or the other depending upon requirements

WMI filters on AD GPO’s containing Citrix policies may

cause issues during reconnects (due to WMI/AD
timeouts)
Use WMI filters sparingly
Possible mitigation: DisableGPCalculation setting

© 2015 Citrix
Policy Documentation

For Site applied policies:

Written document\spreadsheet

For Active Directory applied policies:

Use the GPMC Save Report option on your AD GPO

For either of the above:

CtxCseUtil – RSOP reporting tool
Export using Citrix Group Policy PowerShell module

© 2015 Citrix
What Not To Do!

To prevent Citrix Group Policy consistency issues, don’t

manually manipulate/remove any of the Citrix Group Policy
data on your own
This includes files/folders or reg entries under:
%PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>
%PROGRAMDATA%\Citrix\GroupPolicy
HKLM\Software\Policies\Citrix\<SessionID>
HKLM\Software\Policies\Citrix

Only under the direction of Citrix Technical Support

© 2015 Citrix
Troubleshooting Citrix Group Policy

© 2015 Citrix | Confidential

Recommended Approach

Know your Baseline\Collect the Details

Determine Versions
Policy Cache
GPF Files
RSOP Registry Settings

© 2015 Citrix
Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue?
What issue are they seeing?

Chicago

Miami Tokyo
© 2015 Citrix
Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue?
What issue are they seeing?
When are they seeing the issue? New Session?
Where are they seeing the issue?
Reconnecting?
Smooth Roaming?
All of the Above?
© 2015 Citrix
Determine Component Versions

Controller
What version of the components
am I running??

VDA

© 2015 Citrix
Determine Component Versions – CSE

Look in the component directory on VDA

Check
CitrixCseEngine.exe

© 2015 Citrix
Determine Component Versions - GPMC

© 2015 Citrix
Product Versions - Reference

XA / XD Version Citrix GPMC Citrix CSE

7.1 2.1 2.1

7.5 2.2 2.2

7.6 2.4 2.4

© 2015 Citrix
RSOP Registry Settings – Per Computer
HKLM\Software\Policies\Citrix

© 2015 Citrix
RSOP Registry Settings – Per User & Connection Information
HKLM\Software\Policies\Citrix\<SessionID>

© 2015 Citrix
Additional Troubleshooting Tools - CtxCseUtil

Creates resultant set of policies report containing user settings, computer or

both
Converts RSOP.gpf to HTML report
Can be run locally or remotely against a server VDA or desktop VDA
End user has to have logged in at some point
End user doesn’t have to be actively logged in
Report created in folder with CTXCseUtil.exe and named
CitrixRsopResult.html

© 2015 Citrix
CDFControl

© 2015 Citrix
© 2015 Citrix
Citrix Group Policy PowerShell
Module

© 2015 Citrix | Confidential

Overview

Module containing cmdlets for Citrix Policies

Must be imported to be used
Included in Scout
Included on Controllers
Can be installed separately

© 2015 Citrix
Importing the PowerShell Module

© 2015 Citrix
Importing the PowerShell Module

© 2015 Citrix
PowerShell Drive (PSDrive)

Defined: A mapping between a PowerShell provider

and resource

© 2015 Citrix
 PSDrive Mappings

New-PSDrive –name Site –psprovider CitrixGroupPolicy –root \ -controller LocalHost

© 2015 Citrix
Managing Citrix Group Policy with
PowerShell

© 2015 Citrix | Confidential

Recommendations

Perspective
Single Pane for Policies in Studio
PowerShell or AD GPO still have
Computer & User types

Be consistent in your management approach

Back up your policies prior to making any changes

© 2015 Citrix
Policy Merging

MergedPriority
property

© 2015 Citrix
 Creating Policies from Templates

Get-CtxGroupPolicy –policyname “Hi-Def Experience” –drivename Site

© 2015 Citrix
Exporting / Importing Policies

© 2015 Citrix
Exporting / Importing Policies

Copy the exported policy files to the target Controller

Alternative Options

© 2015 Citrix
Changing Policy Locations

Export the policies from the Site

Map a PSDrive to the Active Directory GPO
New-PSDrive -Name <DomainGPODrv> -PSProvider CitrixGroupPolicy -Root \
-DomainGPO <DomainGPO>
Note: The target GPO must already exist in the Active Directory domain
Note: Replace <DomainGPODrv> with the name of the new PSDrive being created
and replace <DomainGPO> with the display name of the Active Directory GPO
Import-CtxGroupPolicy <PathToExportFolder> -DriveName <DomainGPODrv>
See CTX140039 for the details

© 2015 Citrix
Changing Policies with PowerShell

Back up your policies prior to any manipulation of them

Multiple methods
Set-CTXGroupPolicyConfiguration

Browse into the Policy path & set the property you want to change

© 2015 Citrix
Changing Policies with PowerShell

Set-ItemProperty ‘.\User\HiDef Policy\Settings\ICA\ReadonlyClipboard ‘

-Name State –Value “Enabled”

© 2015 Citrix
Troubleshooting Citrix Group Policy
with PowerShell

© 2015 Citrix | Confidential

Reviewing What Policy Settings Are Configured

Use Get-CtxGroupPolicy cmdlet to list the policies

– Shows both User & Computer policy types

Use Get-CtxGroupPolicyConfiguration to list the properties

– Use the –ConfiguredOnly switch

© 2015 Citrix
Setting The Unfiltered Policy To Be First or Last
Back up your policies prior to any manipulation of them
• To set Unfiltered policy to the highest priority:
– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority 1
– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority 1

• To set Unfiltered policy to the lowest priority:

– Use the Count property of the list of policies of the specific types
– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority
(Get-CtxGroupPolicy –DriveName Farm –Type Computer).count
– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority (Get-
CtxGroupPolicy –DriveName Farm –Type User).count

© 2015 Citrix
Getting LastUpdate & Connection Information For A Session

© 2015 Citrix
In Review

Citrix Group Policy Architecture

Recommended Practices
Troubleshooting Tools
Citrix Group Policy PowerShell Module
Managing & Troubleshooting Citrix GPO via PowerShell

© 2015 Citrix
Questions?

© 2015 Citrix
Before you leave…

• Recommend related breakout session

– SYN411: Successfully Migrating your farm to XenApp 7.6

• Conference Surveys are available online at www.citrixsynergy.com starting

Thursday, May 14 at 9:00 a.m.
– Those who provide feedback by 6pm, Friday, May 15th will receive:
– $20 Amazon e-gift card
– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)

Download presentations starting Monday May, 18th from the My Event Planning
tool

© 2015 Citrix
Resources
Links related to Citrix Group Policy

54

© 2015 Citrix | Confidential

Resources
Citrix Documentation Links

• Citrix Product Documentation Site (eDocs)

• PowerShell cmdlet help
– Migrate from XA 6.x -> XA/XD 7.x
– Policy settings not imported

• Synergy 2014
– SYN406 – Citrix Group Policy Troubleshooting for XenApp & XenDesktop

© 2015 Citrix
References

• CTX128625 - How to Import and Export Policies in XenApp 6.x

• CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool

• CTX130147 – Citrix Scout

• CTX111961 – CDFControl

• CTX138509 – Merging of User and Computer Policies in

XenDesktop

• CTX200234 - Error: "Changes made to policies outside of this

console, such as in PowerShell..."

• MS TechNet Blog – Enabling Group Policy Logging using RSAT

© 2015 Citrix
 Work better. Live better.

© 2015 Citrix