Upload
austin-bishop
View
244
Download
1
Tags:
Embed Size (px)
Citation preview
v2 March © 2015 Citrix
Automation & Troubleshooting of Citrix Group Policy for XenApp & XenDesktop 7.xArchitecture using Windows PowerShell
Peter Brown
Senior Escalation Engineer
May 2015
© 2015 Citrix
Agenda
Citrix Group Policy Architecture
Recommended Practices
Troubleshooting Tools
Citrix Group Policy PowerShell Module
Managing with PowerShell
Troubleshooting with PowerShell
© 2015 Citrix | Confidential
Citrix Group Policy ArchitectureOverview of Citrix Group Policy and Components
© 2015 Citrix
Processing & Precedence of RSOP
Local Policies
Citrix Site Policies
Active Directory Site GPO
Active Directory Domain GPO
Active Directory OU GPOP
recedence RSOP will have
CDM = Enabled
CDM = Disabled
© 2015 Citrix
Policy Filters / Object Assignments
Allows granular control of Citrix policies
Filters policy settings based on certain criteria
Different options based on the policy type
Can’t be applied to the default Unfiltered policy
© 2015 Citrix
Unfiltered Policy & Templates
Default Unfiltered policy (no settings)Applies to all objectsCan be disabled if not needed(Set to lowest priority)
Pre-configured policy templatesCreated for various criteriaPolicies created can be saved as templates
© 2015 Citrix
Citrix Group Policy Client Side Extension
Also referred to as Citrix CSE (CitrixCseClient.dll)
Loaded via Microsoft Winlogon process
Generates policy requests (Computer/User)
Retrieves values to determine policy filter calculation
Forwards policy requests to Citrix Caching Service
© 2015 Citrix
Citrix Group Policy Caching Service
Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE
Performs the Citrix policy calculation and writes settings to the registry
Caches Group Policy files between calculations
© 2015 Citrix
Citrix Group Policy Data Files
Per-Computer and Per-User resultant Citrix policy settings end up in separate RSOP.gpf files
Each RSOP.gpf file is used to create policy registry settings under:
Per-Computer → HKLM\Software\Policies\CitrixPer-User → HKLM\Software\Policies\Citrix\<SessionID>\User
© 2015 Citrix
Citrix Group Policy Update Intervals
For Citrix Site policies setup via Studio:Policies for Computer and Users (logged in) refresh every 90 minutes
For Citrix Policies set via AD GPO:Leverage AD refresh interval (default is 90 minutes +\- a random offset of 0-30 minutes)Refresh interval can be customized & set via AD GPO
For either method:Computer Policies update at machine startupUser Policies update during a reconnect to an active or disconnected sessionPolicies can be updated manually by running: gpupdate /force
© 2015 Citrix
User Policy Application (Similar for Computer Startup)
WinLogonWinLogon Client Side ExtensionsClient Side Extensions
Microsoft CSE
Microsoft CSE Citrix CSECitrix CSE
AD GPOAD
GPO
Local GPOLocal GPO
ResultantPolicy
RSOP.GPF
ResultantPolicy
RSOP.GPF
Local server
Registry
Local server
Registry
SiteGPOSiteGPO Citrix CSECitrix CSE
HKLM\Software\Polices\Citrix\ (For Server) -or-HKLM\Software\Polices\Citrix\<SessionID>\User
Precedence
Order
© 2015 Citrix
Citrix Group Policy Management Console
Citrix GPMC - A connector into the Microsoft GPMC (CitrixGPMCConnector.dll)
Management of Citrix group policies through Studio or GPMC
Allows for Citrix policy modeling/comparison
Can be installed separately for standalone use
© 2015 Citrix
StudioSingle Policy NodeObject assignments shown depend on policies settingsconfigured
PowerShell & AD GPOsDivided into Computer & User policy types
Citrix Group Policy Management - Studio vs. PowerShell
© 2015 Citrix
Policy Architecture
Using both Site and AD policies may cause confusion when troubleshooting issues
Use one location or the other depending upon requirements
WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMI/AD timeouts)
Use WMI filters sparinglyPossible mitigation: DisableGPCalculation setting
© 2015 Citrix
Policy Documentation
For Site applied policies:Written document\spreadsheet
For Active Directory applied policies:Use the GPMC Save Report option on your AD GPO
For either of the above:CtxCseUtil – RSOP reporting toolExport using Citrix Group Policy PowerShell module
© 2015 Citrix
What Not To Do!
To prevent Citrix Group Policy consistency issues, don’t manually manipulate/remove any of the Citrix Group Policy data on your own
This includes files/folders or reg entries under: %PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>%PROGRAMDATA%\Citrix\GroupPolicyHKLM\Software\Policies\Citrix\<SessionID>HKLM\Software\Policies\Citrix
Only under the direction of Citrix Technical Support
© 2015 Citrix
Recommended Approach
Know your Baseline\Collect the Details
Determine Versions
Policy Cache
GPF Files
RSOP Registry Settings
© 2015 Citrix
Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue? What issue are they seeing?
Tokyo
Chicago
Miami
© 2015 Citrix
Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue? What issue are they seeing?When are they seeing the issue?Where are they seeing the issue?
New Session?Reconnecting?
Smooth Roaming?All of the Above?
© 2015 Citrix
Determine Component Versions
What version of the componentsam I running??
Controller
VDA
© 2015 Citrix
Determine Component Versions – CSE
Look in the component directory on VDA
Check CitrixCseEngine.exe
© 2015 Citrix
Product Versions - Reference
XA / XD Version Citrix GPMC Citrix CSE
7.1 2.1 2.1
7.5 2.2 2.2
7.6 2.4 2.4
© 2015 Citrix
RSOP Registry Settings – Per User & Connection Information
HKLM\Software\Policies\Citrix\<SessionID>
© 2015 Citrix
Additional Troubleshooting Tools - CtxCseUtil
Creates resultant set of policies report containing user settings, computer or both
Converts RSOP.gpf to HTML report
Can be run locally or remotely against a server VDA or desktop VDA
End user has to have logged in at some point
End user doesn’t have to be actively logged in
Report created in folder with CTXCseUtil.exe and named CitrixRsopResult.html
© 2015 Citrix
Overview
Module containing cmdlets for Citrix Policies
Must be imported to be used
Included in Scout
Included on Controllers
Can be installed separately
© 2015 Citrix
PowerShell Drive (PSDrive)
Defined: A mapping between a PowerShell provider and resource
© 2015 Citrix
PSDrive Mappings
New-PSDrive –name Site –psprovider CitrixGroupPolicy –root \ -controller LocalHost
© 2015 Citrix
Recommendations
PerspectiveSingle Pane for Policies in StudioPowerShell or AD GPO still have Computer & User types
Be consistent in your management approach
Back up your policies prior to making any changes
© 2015 Citrix
Creating Policies from Templates
Get-CtxGroupPolicy –policyname “Hi-Def Experience” –drivename Site
© 2015 Citrix
Exporting / Importing Policies
Copy the exported policy files to the target Controller
Alternative Options
© 2015 Citrix
Changing Policy Locations
Export the policies from the Site
Map a PSDrive to the Active Directory GPO
New-PSDrive -Name <DomainGPODrv> -PSProvider CitrixGroupPolicy -Root \ -DomainGPO <DomainGPO>
Note: The target GPO must already exist in the Active Directory domainNote: Replace <DomainGPODrv> with the name of the new PSDrive being created and replace <DomainGPO> with the display name of the Active Directory GPO
Import-CtxGroupPolicy <PathToExportFolder> -DriveName <DomainGPODrv>
See CTX140039 for the details
© 2015 Citrix
Changing Policies with PowerShell
Multiple methodsSet-CTXGroupPolicyConfiguration
Browse into the Policy path & set the property you want to change
Back up your policies prior to any manipulation of them
© 2015 Citrix
Changing Policies with PowerShell
Set-ItemProperty ‘.\User\HiDef Policy\Settings\ICA\ReadonlyClipboard ‘-Name State –Value “Enabled”
© 2015 Citrix
Reviewing What Policy Settings Are Configured
Use Get-CtxGroupPolicy cmdlet to list the policies–Shows both User & Computer policy types
Use Get-CtxGroupPolicyConfiguration to list the properties–Use the –ConfiguredOnly switch
© 2015 Citrix
Setting The Unfiltered Policy To Be First or Last
• To set Unfiltered policy to the highest priority:– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority 1– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority 1
• To set Unfiltered policy to the lowest priority:– Use the Count property of the list of policies of the specific types– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority
(Get-CtxGroupPolicy –DriveName Farm –Type Computer).count– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority (Get-
CtxGroupPolicy –DriveName Farm –Type User).count
Back up your policies prior to any manipulation of them
© 2015 Citrix
In Review
Citrix Group Policy Architecture
Recommended Practices
Troubleshooting Tools
Citrix Group Policy PowerShell Module
Managing & Troubleshooting Citrix GPO via PowerShell
© 2015 Citrix
Before you leave…
• Recommend related breakout session– SYN411: Successfully Migrating your farm to XenApp 7.6
• Conference Surveys are available online at www.citrixsynergy.com starting Thursday, May 14 at 9:00 a.m.– Those who provide feedback by 6pm, Friday, May 15th will receive:– $20 Amazon e-gift card– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)
Download presentations starting Monday May, 18th from the My Event Planning tool
© 2015 Citrix
ResourcesCitrix Documentation Links
• Citrix Product Documentation Site (eDocs)
• PowerShell cmdlet help– Migrate from XA 6.x -> XA/XD 7.x– Policy settings not imported
• Synergy 2014– SYN406 – Citrix Group Policy Troubleshooting for XenApp & XenDesktop
© 2015 Citrix
References
• CTX128625 - How to Import and Export Policies in XenApp 6.x
• CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool
• CTX130147 – Citrix Scout
• CTX111961 – CDFControl
• CTX138509 – Merging of User and Computer Policies in XenDesktop
• CTX200234 - Error: "Changes made to policies outside of this console, such as in PowerShell..."
• MS TechNet Blog – Enabling Group Policy Logging using RSAT