Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Citrix Group Policy Troubleshooting for XenApp and XenDesktop


Published on

Understanding the Citrix Group Policy architecture and how to troubleshoot is key to ensuring a stable environment. This session will provide an overview of the Citrix Group Policy architecture and troubleshooting tool and steps that can be leveraged in both XenApp and XenDesktop environments.

What you will learn
- General components and architecture of Citrix Group Policy
- Best practices and disaster recovery for Citrix Group Policy
- Troubleshooting Citrix Group Policy issues

Recording associated with this webinar can be found here -

Published in: Technology

Citrix Group Policy Troubleshooting for XenApp and XenDesktop

  1. 1. Citrix Group Policy Troubleshooting for XenApp and XenDesktop Rick Berry Principal Technical Relationship Manager Citrix Support Webinar Series, November 2014
  2. 2. Citrix Group Policy Architecture Overview of Citrix Group Policy and Components
  3. 3. Citrix Group Policy Architecture Policy Application Terminology Local Group Policies • Local GPO containing Computer and User settings Citrix FarmSite Policies • Also known as IMA farm policies (XenApp) • Set via AppCenterDSC (XenApp 6.x) or Studio (XenDesktopXenApp 7.x) • Stored in the farm datastoredatabase Active Directory Policies • Set via Site, Domain or OU GPO’s • Stored in Active Directory • Allows combining of Citrix and Microsoft Policies 3 © 2014 Citrix. Confidential.
  4. 4. Citrix Group Policy Architecture Processing and Precedence for RSOP CDM = Enabled 4 © 2014 Citrix. Confidential. Processing Precedence Setting in RSOP CDM = Disabled Active Directory OU GPO Active Directory Domain GPO Active Directory Site GPO Citrix FarmIMA Polices Local Policies
  5. 5. Citrix Group Policy Architecture Citrix Group Policy Management Console Citrix GPMC – Our connector into the Microsoft GPMC Management of Citrix group policies via AppCenterStudio or Microsoft GPMC Allows Citrix policy modelingcomparison Can be installed to manage AD GPO’s (with GPMC) Core binaries are in: • %PROGRAMFILES% and %PROGRAMFILES(x86)% • Under CitrixGroup PolicyManagement 5 © 2014 Citrix. Confidential.
  6. 6. Citrix Group Policy Architecture Citrix Group Policy Client Side Extension Also known as Citrix CSE (CitrixCseClient.dll) Loaded via Microsoft Winlogon process Generates policy requests (Computer or User) Retrieves values to determine policy filter calculation Forwards policy requests to Citrix Caching Service Core binaries are in: • %PROGRAMFILES% and %PROGRAMFILES(x86)% • Under CitrixGroup PolicyClient-Side Extension 6 © 2014 Citrix. Confidential.
  7. 7. Citrix Group Policy Architecture Citrix Group Policy Caching Service Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE Performs the Citrix policy calculation and writes settings to the registry Caches Group Policy files between calculations GPO (ADFarm) Local Cache: • %PROGRAMDATA%CitrixCseCache Also caches per-computer and per-user data files 7 © 2014 Citrix. Confidential.
  8. 8. Citrix Group Policy Architecture Data Files - Resultant Set of Policy (RSOP) Per-Computer and Per-User resultant Citrix policy settings end up in RSOP.gpf These binary files are cached in: • Per-Computer → %PROGRAMDATA%CitrixCseCache • Per-User → %PROGRAMDATA%CitrixCseCache<SessionID> Files are used to create policy registry settings under: • Per-Computer → HKLMSoftwarePoliciesCitrix • Per-User → HKLMSoftwarePoliciesCitrix<SessionID>User 8 © 2014 Citrix. Confidential.
  9. 9. Citrix Group Policy Architecture Data Files – Rollback We needed a way to remove RSOP settings Mechanism creates a Rollback.gpf file Contains instructions to remove existing RSOP settings These binary files are cached in: • Per-Computer → %PROGRAMDATA%CitrixCseCache • Per-User → %PROGRAMDATA%CitrixCseCache<SessionID> 9 © 2014 Citrix. Confidential.
  10. 10. Citrix Group Policy Architecture Citrix Policy Filters Allows granular control of Citrix policies Filters policy settings based on certain criteria Different options based on the policy category Can’t be applied to the default Unfiltered policy 10 © 2014 Citrix. Confidential.
  11. 11. Policy Filters Computer Policies 11 © 2014 Citrix. Confidential.
  12. 12. Policy Filters User Policies Additional filter types For User Policies 12 © 2014 Citrix. Confidential.
  13. 13. Citrix Group Policy Architecture Unfiltered Policy and Templates There’s a default Unfiltered policy (contains no settings) Unfiltered policy settings apply to all objects Can be disabled if not needed (set to lowest priority) There are pre-configured policy Templates in place Templates grouped by end user connectivity (WAN, LAN) Policies created can be saved as templates Should be exported to complete the backup process 13 © 2014 Citrix. Confidential.
  14. 14. Policy Management XenApp 6.x - XenDesktop 5.x Separate Computer and User Policy Nodes 14 © 2014 Citrix. Confidential.
  15. 15. Policy Management XenAppXenDesktop 7.x Single Policy Node 15 © 2014 Citrix. Confidential.
  16. 16. Citrix Group Policy Architecture Citrix Policy Update Intervals For Citrix farm policies setup via AppCenterStudio: • Citrix policies for Computer and Users (logged in) refresh every 90 minutes For Citrix Policies set via AD GPO: • Leverages AD refresh interval (default is 90 minutes plus a random offset of 0-30 minutes) • AD refresh interval can also be set via AD GPO For either method: • Computer Policies update at machine startup • User Policies will also be updated during a reconnect to an active or disconnected session • Policies can be updated manually by running: gpupdate /force 16 © 2014 Citrix. Confidential.
  17. 17. User Policy Application (Similar for Computer) 17 © 2014 Citrix. Confidential. WinLogon Client Side Extensions Microsoft CSE Citrix CSE Local GPO AD GPO Resultant Policy RSOP.GPF Local server Registry Farm or Studio GPO Citrix CSE HKLMSoftwarePolicesCitrix (Computer) -or- HKLMSoftwarePolicesCitrix<SessionID>User
  18. 18. Policy Application Details Load existing Rollback.gpf Rollback.gpf 18 © 2014 Citrix. Confidential. Registry %PROGRAMDATA%CitrixGroupPolicy (Computer) -or- %PROGRAMDATA%CitrixGroupPolicy<SessionID> (User) Apply RSOP RSOP.gpf Delete Cached GPF files RSOP.gpf Rollback.gpf Registry Cache new files RSOP.gpf Set time in LastUpdate Under Events Registry Area Rollback.gpf
  19. 19. Policy Application Details 19 © 2014 Citrix. Confidential. Set time in LastUpdate Under Events Registry Area All Done!
  20. 20. Recommended Practices - Tips Based on Citrix Support cases 20
  21. 21. Recommended Practices Architecture While supported, using both AD and FarmStudio Citrix policies may cause confusion when troubleshooting issues • Try to use one type or the other depending upon requirements Using WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMIAD timeouts) • Use WMI filters sparingly • Possible mitigation: using DisableGPCalculation setting 21 © 2014 Citrix. Confidential.
  22. 22. Recommended Practices Document Policies For Farm (AppCenterStudio) applied policies: • Written documentspreadsheet (Scout can provide as well) For Active Directory applied policies: • Use the GPMC Save Report option on your AD GPO For either of the above: • CtxCseUtil – RSOP reporting tool • Export using Citrix Group Policy PowerShell module 22 © 2014 Citrix. Confidential.
  23. 23. Recommended Practices What Not To Do! To prevent Citrix Group Policy consistency issues, don’t manually manipulateremove any of the Citrix Group Policy data files on your own This includes filesfolders or reg entries under: • %PROGRAMDATA%CitrixGroupPolicy<SessionID> • %PROGRAMDATA%CitrixGroupPolicy • HKLMSoftwarePoliciesCitrix<SessionID> • HKLMSoftwarePoliciesCitrix Might be needed for certain fixes (LA5051) 23 © 2014 Citrix. Confidential.
  24. 24. Troubleshooting Citrix Group Policy
  25. 25. Troubleshooting Citrix Group Policy Recommended Approach Know your BaselineCollect the Details Determine Versions Policy Cache GPF Files RSOP Registry Settings Connection Information Data Collection Tools 25 © 2014 Citrix. Confidential.
  26. 26. Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s Make sure you can answer the following: Who is seeing the issue? What issue are they seeing? 26 © 2014 Citrix. Confidential. Tokyo Chicago Miami
  27. 27. Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s Make sure you can answer the following: Who is seeing the issue? What issue are they seeing? When are they seeing the issue? Where are they seeing the issue? 27 © 2014 Citrix. Confidential. New Session? Reconnecting? Smooth Roaming? All of the Above?
  28. 28. Troubleshooting Citrix Group Policy Determine Versions What version am I at?? 28 © 2014 Citrix. Confidential.
  29. 29. Troubleshooting Citrix Group Policy Determine CSE Version Look in the component directory Check CitrixCseEngine.exe 29 © 2014 Citrix. Confidential.
  30. 30. Troubleshooting Citrix Group Policy Determine GPMC Version 30 © 2014 Citrix. Confidential.
  31. 31. Product Versions - Reference XenApp 6.x and XenDesktop 5.x – Baseline (Updated) 31 © 2014 Citrix. Confidential. Version Citrix GPMC Citrix CSE XenApp 6.0 1.0 1.0 XenApp 6.5 & XenDesktop 5.6 1.5 (1.7) 1.5 (1.7)
  32. 32. Product Versions - Reference XenApp and XenDesktop 7.x – Baseline 32 © 2014 Citrix. Confidential. Version Citrix GPMC Citrix CSE 7.1 2.1 2.1 7.5 2.2 2.1 7.6 2.4 2.4
  33. 33. Policy Cache Active Directory Policies 33 © 2014 Citrix. Confidential. The 0 here denotes User policy settings Seeing {GUID} in the filename = AD GPO The 1 here denotes a Computer policy
  34. 34. Policy Cache Active Directory Policies We have a match!! 34 © 2014 Citrix. Confidential. We have a match!!
  35. 35. Policy Cache FarmStudio Policies 35 © 2014 Citrix. Confidential. Lack of {GUID} = Farm policies
  36. 36. GPF files 36 © 2014 Citrix. Confidential. SessionID = 2 Per-Computer files Per-User files
  37. 37. RSOP Registry Settings Per-Computer (HKLMSoftwarePoliciesCitrix) 37 © 2014 Citrix. Confidential.
  38. 38. RSOP Registry Settings Per-User (HKLMSoftwarePoliciesCitrix<SessionID>) 38 © 2014 Citrix. Confidential.
  39. 39. Connection Information 39 © 2014 Citrix. Confidential.
  40. 40. Connection Details HKLMSoftwareCitrixICASession 40 © 2014 Citrix. Confidential.
  41. 41. Troubleshooting Tools - CtxCseUtil Citrix RSOP Report Tool Creates resultant set of policies report containing user settings, computer or both Can be run locally or remotely against a server or VDA Converts RSOP.gpf to HTML report End user has to have logged in at some point End user doesn’t have to be actively logged in 41 © 2014 Citrix. Confidential.
  42. 42. Troubleshooting Tools - CtxCseUtil Common Errors Typical error when first run… 42 © 2014 Citrix. Confidential. Solution: Run WinRm QuickConfig
  43. 43. Troubleshooting Tools - CtxCseUtil CtxCseUtil - Common Errors Help Message.docx Possible using Local Administrator Account? 43 © 2014 Citrix. Confidential.
  44. 44. Troubleshooting Tools - CtxCseUtil Resultant Report - CitrixRsopResult.html Once run, resultant report is: CitrixRsopResult.html 44 © 2014 Citrix. Confidential.
  45. 45. Citrix Group Policy PowerShell Module Citrix.GroupPolicy.Commands.psm1 Module containing cmdlets for Citrix Policies • Local, Farm or Active Directory Needs to be imported via PowerShell prompt Contains cmdlets to: • Set or Get Citrix policy settings • Export or Import Citrix policy objects Policy Details ImportedExported: • Policy Settings • Configuration Details • Filters 45 © 2014 Citrix. Confidential.
  46. 46. Citrix Group Policy PowerShell Module Exporting Farm Policies GET-COMMAND output 46 © 2014 Citrix. Confidential.
  47. 47. Citrix Group Policy PowerShell Module Exporting Farm Policies Export the policies Once completed, these are your files 47 © 2014 Citrix. Confidential.
  48. 48. Citrix Group Policy PowerShell Module Exporting Citrix Policies from Active Directory Use the same PowerShell Module and cmdlets Connect to Active Directory GPO via New-PSDrive cmdlet See CTX140039 for the details 48 © 2014 Citrix. Confidential.
  49. 49. CDFControl CDF Tracing Tool 49 © 2014 Citrix. Confidential.
  50. 50. FarmStudio Policy Issue Farm policies stored in a single object Likely related to corrupt policy Error seen when accessing policies Don’t restore datastoredatabase Contact Citrix Technical Support Maintain an updated policy export!! 50 © 2014 Citrix. Confidential.
  51. 51. WMI Related Issues Reconnect Issues If using WMI Filters on AD GPO’s, might see reconnect issues • Citrix policies not applying for reconnected sessions • LoginsReconnects taking long time to occur (does the issue resolve itself after some time?) Enable Microsoft Group Policy logging: • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDiagnostics "GPSvcDebugLevel"=dword:00030002 Log file will be in: • %WINDIR%debugusermodegpsvc.log • If you see FilterCheck: Evaluate returned error. hr=0x80041069, AD is timing out on WMI call Look in Event Viewer as well for WMI errors 51 © 2014 Citrix. Confidential.
  52. 52. Takeaways Architecture and files related to Citrix Group Policy How Citrix policies apply during user login (computer too) Recommended practices Troubleshooting methods and tools Documenting and backing up your policies is important!! 52 © 2014 Citrix. Confidential.
  53. 53. Resources Links related to Citrix Group Policy 53
  54. 54. Resources Citrix Documentation Links Citrix Product Documentation Site (eDocs) Manage Citrix Policies (XenDesktopXenApp 7.5) Working with Citrix Policies (XenApp 6.5) Policy Settings Reference (XenApp 6.5) 54 © 2014 Citrix. Confidential.
  55. 55. Resources CTX140268 - Citrix policy settings not being displayed properly in newer Citrix Group Policy Management Console CTX127611 - How Citrix IMA Policies fit in to Microsoft GPO Processing and Precedence Model CTX138537 – HRP02 for Citrix XenApp 6.5 (for DisableGPCalculation setting) CTX130116 - Case Study: Unable to Apply Citrix Policies because of 0kb gpf Files CTX134081 - Planning Guide - Citrix XenApp and XenDesktop Policies 55 © 2014 Citrix. Confidential.
  56. 56. Resources Group Policy Tools CTX140267 - Updated Citrix Group Policy PowerShell Module CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool CTX140039 - How to Import and Export Policies in XenApp 6.x CTX111961 – CDFControl CTX130147 – Citrix Scout MS TechNet – Group Policy Cmdlets for PowerShell MS TechNet Blog – Enabling Group Policy Logging using RSAT 56 © 2014 Citrix. Confidential.
  57. 57. Questions and Wrap-Up
  58. 58. Questions? 58 © 2014 Citrix. Confidential.
  59. 59. Simplify your journey, let us guide you. Accelerate your implementation and minimize risk by taking advantage of Citrix Consulting. You’ll get the expertise of certified Citrix Consulting Architects to successfully deploy Citrix solutions in any phase of your project. 53% of customers have seen a return on investment with Citrix Consulting in 6 months or less. Visit to learn more about our proven methodology. 59 © 2014 Citrix. Confidential.
  60. 60. Build your Citrix skills in your personal virtual sandbox Play in your own Virtual Sandbox with Learning Labs from Citrix Education. With your purchase, you’ll receive your own dedicated server with access to the seven most popular Learning Labs from Synergy. Featured labs include: • NetScaler, the Enterprise Security Swiss Army Knife • Front-Ending and Load Balancing XenDesktop and XenApp with NetScaler • Enhancing Visibility of Applications with NetScaler Insight Center 60 © 2014 Citrix. Confidential.
  61. 61. Get access to Synergy 2014 Learn Labs for FREE Offer: Buy a qualifying Citrix Training Pass and receive 30 days of free access to the most popular Learning Labs from Synergy 2014. 61 © 2014 Citrix. Confidential. Purchase now
  62. 62. New Citrix Practice Exams Accelerate Your Path to Certification Available on ($39 each): CPE-350 – Citrix NetScaler 10 Essentials and Networking Practice Exam CPE-300 – Deploying XenDesktop 7 Solutions Practice Exam CPE-A22 – Citrix XenApp 6.5 Advanced Administration Practice Exam ticeexams/ 62 © 2014 Citrix. Confidential.
  63. 63. Q4 PROMOTION 63 © 2014 Citrix. Confidential. Most popular Learning Labs from Synergy ’14 7 lab environments totaling 30+ hours of exercises 30 days of access on a dedicated server Self-paced online labs with minimal instruction Free with purchase of a 5-day CTP through 12/31 Learning Labs $500
  64. 64. 64 © 2014 Citrix. Confidential. WORK BETTER. LIVE BETTER.