v2 March © 2015 Citrix

Automation & Troubleshooting of Citrix Group Policy for XenApp & XenDesktop 7.xArchitecture using Windows PowerShell

Peter Brown

Senior Escalation Engineer

May 2015

© 2015 Citrix

Agenda

Citrix Group Policy Architecture

Recommended Practices

Troubleshooting Tools

Citrix Group Policy PowerShell Module

Managing with PowerShell

Troubleshooting with PowerShell

© 2015 Citrix | Confidential

Citrix Group Policy ArchitectureOverview of Citrix Group Policy and Components

© 2015 Citrix

Terminology

Local Group Policies

Citrix Site Policies

Active Directory Policies

© 2015 Citrix

Processing & Precedence of RSOP

Local Policies

Citrix Site Policies

Active Directory Site GPO

Active Directory Domain GPO

Active Directory OU GPOP

recedence RSOP will have

CDM = Enabled

CDM = Disabled

© 2015 Citrix

Policy Filters / Object Assignments

Allows granular control of Citrix policies

Filters policy settings based on certain criteria

Different options based on the policy type

Can’t be applied to the default Unfiltered policy

© 2015 Citrix

Unfiltered Policy & Templates

Default Unfiltered policy (no settings)Applies to all objectsCan be disabled if not needed(Set to lowest priority)

Pre-configured policy templatesCreated for various criteriaPolicies created can be saved as templates

© 2015 Citrix

Citrix Group Policy Client Side Extension

Also referred to as Citrix CSE (CitrixCseClient.dll)

Loaded via Microsoft Winlogon process

Generates policy requests (Computer/User)

Retrieves values to determine policy filter calculation

Forwards policy requests to Citrix Caching Service

© 2015 Citrix

Citrix Group Policy Caching Service

Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE

Performs the Citrix policy calculation and writes settings to the registry

Caches Group Policy files between calculations

© 2015 Citrix

Citrix Group Policy Data Files

Per-Computer and Per-User resultant Citrix policy settings end up in separate RSOP.gpf files

Each RSOP.gpf file is used to create policy registry settings under:

Per-Computer → HKLM\Software\Policies\CitrixPer-User → HKLM\Software\Policies\Citrix\<SessionID>\User

© 2015 Citrix

Citrix Group Policy Update Intervals

For Citrix Site policies setup via Studio:Policies for Computer and Users (logged in) refresh every 90 minutes

For Citrix Policies set via AD GPO:Leverage AD refresh interval (default is 90 minutes +\- a random offset of 0-30 minutes)Refresh interval can be customized & set via AD GPO

For either method:Computer Policies update at machine startupUser Policies update during a reconnect to an active or disconnected sessionPolicies can be updated manually by running: gpupdate /force

© 2015 Citrix

User Policy Application (Similar for Computer Startup)

WinLogonWinLogon Client Side ExtensionsClient Side Extensions

Microsoft CSE

Microsoft CSE Citrix CSECitrix CSE

AD GPOAD

GPO

Local GPOLocal GPO

ResultantPolicy

RSOP.GPF

ResultantPolicy

RSOP.GPF

Local server

Registry

Local server

Registry

SiteGPOSiteGPO Citrix CSECitrix CSE

HKLM\Software\Polices\Citrix\ (For Server) -or-HKLM\Software\Polices\Citrix\<SessionID>\User

Precedence

Order

© 2015 Citrix

Citrix Group Policy Management Console

Citrix GPMC - A connector into the Microsoft GPMC (CitrixGPMCConnector.dll)

Management of Citrix group policies through Studio or GPMC

Allows for Citrix policy modeling/comparison

Can be installed separately for standalone use

© 2015 Citrix

StudioSingle Policy NodeObject assignments shown depend on policies settingsconfigured

PowerShell & AD GPOsDivided into Computer & User policy types

Citrix Group Policy Management - Studio vs. PowerShell

© 2015 Citrix | Confidential

Recommended Practices - TipsBased on Citrix Support cases

15

© 2015 Citrix

Policy Architecture

Using both Site and AD policies may cause confusion when troubleshooting issues

Use one location or the other depending upon requirements

WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMI/AD timeouts)

Use WMI filters sparinglyPossible mitigation: DisableGPCalculation setting

© 2015 Citrix

Policy Documentation

For Site applied policies:Written document\spreadsheet

For Active Directory applied policies:Use the GPMC Save Report option on your AD GPO

For either of the above:CtxCseUtil – RSOP reporting toolExport using Citrix Group Policy PowerShell module

© 2015 Citrix

What Not To Do!

To prevent Citrix Group Policy consistency issues, don’t manually manipulate/remove any of the Citrix Group Policy data on your own

This includes files/folders or reg entries under: %PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>%PROGRAMDATA%\Citrix\GroupPolicyHKLM\Software\Policies\Citrix\<SessionID>HKLM\Software\Policies\Citrix

Only under the direction of Citrix Technical Support

© 2015 Citrix | Confidential

Troubleshooting Citrix Group Policy

© 2015 Citrix

Recommended Approach

Know your Baseline\Collect the Details

Determine Versions

Policy Cache

GPF Files

RSOP Registry Settings

© 2015 Citrix

Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue? What issue are they seeing?

Tokyo

Chicago

Miami

© 2015 Citrix

Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue? What issue are they seeing?When are they seeing the issue?Where are they seeing the issue?

New Session?Reconnecting?

Smooth Roaming?All of the Above?

© 2015 Citrix

Determine Component Versions

What version of the componentsam I running??

Controller

VDA

© 2015 Citrix

Determine Component Versions – CSE

Look in the component directory on VDA

Check CitrixCseEngine.exe

© 2015 Citrix

Determine Component Versions - GPMC

© 2015 Citrix

Product Versions - Reference

XA / XD Version Citrix GPMC Citrix CSE

7.1 2.1 2.1

7.5 2.2 2.2

7.6 2.4 2.4

© 2015 Citrix

RSOP Registry Settings – Per Computer

HKLM\Software\Policies\Citrix

© 2015 Citrix

RSOP Registry Settings – Per User & Connection Information

HKLM\Software\Policies\Citrix\<SessionID>

© 2015 Citrix

Additional Troubleshooting Tools - CtxCseUtil

Creates resultant set of policies report containing user settings, computer or both

Converts RSOP.gpf to HTML report

Can be run locally or remotely against a server VDA or desktop VDA

End user has to have logged in at some point

End user doesn’t have to be actively logged in

Report created in folder with CTXCseUtil.exe and named CitrixRsopResult.html

© 2015 Citrix

CDFControl

© 2015 Citrix

© 2015 Citrix | Confidential

Citrix Group Policy PowerShell Module

© 2015 Citrix

Overview

Module containing cmdlets for Citrix Policies

Must be imported to be used

Included in Scout

Included on Controllers

Can be installed separately

© 2015 Citrix

Importing the PowerShell Module

© 2015 Citrix

Importing the PowerShell Module

© 2015 Citrix

PowerShell Drive (PSDrive)

Defined: A mapping between a PowerShell provider and resource

© 2015 Citrix

PSDrive Mappings

New-PSDrive –name Site –psprovider CitrixGroupPolicy –root \ -controller LocalHost

© 2015 Citrix | Confidential

Managing Citrix Group Policy with PowerShell

© 2015 Citrix

Recommendations

PerspectiveSingle Pane for Policies in StudioPowerShell or AD GPO still have Computer & User types

Be consistent in your management approach

Back up your policies prior to making any changes

© 2015 Citrix

Policy Merging

MergedPriorityproperty

© 2015 Citrix

Creating Policies from Templates

Get-CtxGroupPolicy –policyname “Hi-Def Experience” –drivename Site

© 2015 Citrix

Exporting / Importing Policies

© 2015 Citrix

Exporting / Importing Policies

Copy the exported policy files to the target Controller

Alternative Options

© 2015 Citrix

Changing Policy Locations

Export the policies from the Site

Map a PSDrive to the Active Directory GPO

New-PSDrive -Name <DomainGPODrv> -PSProvider CitrixGroupPolicy -Root \ -DomainGPO <DomainGPO>

Note: The target GPO must already exist in the Active Directory domainNote: Replace <DomainGPODrv> with the name of the new PSDrive being created and replace <DomainGPO> with the display name of the Active Directory GPO

Import-CtxGroupPolicy <PathToExportFolder> -DriveName <DomainGPODrv>

See CTX140039 for the details

© 2015 Citrix

Changing Policies with PowerShell

Multiple methodsSet-CTXGroupPolicyConfiguration

Browse into the Policy path & set the property you want to change

Back up your policies prior to any manipulation of them

© 2015 Citrix

Changing Policies with PowerShell

Set-ItemProperty ‘.\User\HiDef Policy\Settings\ICA\ReadonlyClipboard ‘-Name State –Value “Enabled”

© 2015 Citrix | Confidential

Troubleshooting Citrix Group Policy with PowerShell

© 2015 Citrix

Reviewing What Policy Settings Are Configured

Use Get-CtxGroupPolicy cmdlet to list the policies–Shows both User & Computer policy types

Use Get-CtxGroupPolicyConfiguration to list the properties–Use the –ConfiguredOnly switch

© 2015 Citrix

Setting The Unfiltered Policy To Be First or Last

• To set Unfiltered policy to the highest priority:– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority 1– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority 1

• To set Unfiltered policy to the lowest priority:– Use the Count property of the list of policies of the specific types– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority

(Get-CtxGroupPolicy –DriveName Farm –Type Computer).count– Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority (Get-

CtxGroupPolicy –DriveName Farm –Type User).count

Back up your policies prior to any manipulation of them

© 2015 Citrix

Getting LastUpdate & Connection Information For A Session

© 2015 Citrix

In Review

Citrix Group Policy Architecture

Recommended Practices

Troubleshooting Tools

Citrix Group Policy PowerShell Module

Managing & Troubleshooting Citrix GPO via PowerShell

© 2015 Citrix

Questions?

© 2015 Citrix

Before you leave…

• Recommend related breakout session– SYN411: Successfully Migrating your farm to XenApp 7.6

• Conference Surveys are available online at www.citrixsynergy.com starting Thursday, May 14 at 9:00 a.m.– Those who provide feedback by 6pm, Friday, May 15th will receive:– $20 Amazon e-gift card– Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)

Download presentations starting Monday May, 18th from the My Event Planning tool

© 2015 Citrix | Confidential

ResourcesLinks related to Citrix Group Policy

54

© 2015 Citrix

ResourcesCitrix Documentation Links

• Citrix Product Documentation Site (eDocs)

• PowerShell cmdlet help– Migrate from XA 6.x -> XA/XD 7.x– Policy settings not imported

• Synergy 2014– SYN406 – Citrix Group Policy Troubleshooting for XenApp & XenDesktop

© 2015 Citrix

References

• CTX128625 - How to Import and Export Policies in XenApp 6.x

• CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool

• CTX130147 – Citrix Scout

• CTX111961 – CDFControl

• CTX138509 – Merging of User and Computer Policies in XenDesktop

• CTX200234 - Error: "Changes made to policies outside of this console, such as in PowerShell..."

• MS TechNet Blog – Enabling Group Policy Logging using RSAT

© 2015 Citrix

Work better. Live better.Work better. Live better.