Citrix Group Policy Troubleshooting for

XenApp and XenDesktop

Rick Berry

Principal Technical Relationship Manager

Citrix Support Webinar Series, November 2014

Citrix Group Policy ArchitectureOverview of Citrix Group Policy and Components

© 2014 Citrix. Confidential.3

Citrix Group Policy ArchitecturePolicy Application Terminology

Local Group Policies• Local GPO containing Computer and User settings

Citrix Farm\Site Policies• Also known as IMA farm policies (XenApp)

• Set via AppCenter\DSC (XenApp 6.x) or Studio (XenDesktop\XenApp 7.x)

• Stored in the farm datastore\database

Active Directory Policies• Set via Site, Domain or OU GPO’s

• Stored in Active Directory

• Allows combining of Citrix and Microsoft Policies

© 2014 Citrix. Confidential.4

Citrix Group Policy ArchitectureProcessing and Precedence for RSOP

Pro

cessin

gP

recedence

Setting in RSOP

CDM = Disabled

CDM = Enabled

Local Policies

Citrix Farm\IMA Polices

Active Directory Site GPO

Active Directory Domain GPO

Active Directory OU GPO

© 2014 Citrix. Confidential.5

Citrix Group Policy ArchitectureCitrix Group Policy Management Console

Citrix GPMC – Our connector into the Microsoft GPMC

Management of Citrix group policies via AppCenter\Studio or Microsoft GPMC

Allows Citrix policy modeling\comparison

Can be installed to manage AD GPO’s (with GPMC)

Core binaries are in:• %PROGRAMFILES% and %PROGRAMFILES(x86)%

• Under \Citrix\Group Policy\Management

© 2014 Citrix. Confidential.6

Citrix Group Policy ArchitectureCitrix Group Policy Client Side Extension

Also known as Citrix CSE (CitrixCseClient.dll)

Loaded via Microsoft Winlogon process

Generates policy requests (Computer or User)

Retrieves values to determine policy filter calculation

Forwards policy requests to Citrix Caching Service

Core binaries are in:• %PROGRAMFILES% and %PROGRAMFILES(x86)%

• Under \Citrix\Group Policy\Client-Side Extension

© 2014 Citrix. Confidential.7

Citrix Group Policy ArchitectureCitrix Group Policy Caching Service

Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE

Performs the Citrix policy calculation and writes settings to the registry

Caches Group Policy files between calculations

GPO (AD\Farm) Local Cache:• %PROGRAMDATA%\CitrixCseCache

Also caches per-computer and per-user data files

© 2014 Citrix. Confidential.8

Citrix Group Policy ArchitectureData Files - Resultant Set of Policy (RSOP)

Per-Computer and Per-User resultant Citrix policy settings end up in RSOP.gpf

These binary files are cached in:• Per-Computer → %PROGRAMDATA%\CitrixCseCache

• Per-User → %PROGRAMDATA%\CitrixCseCache\<SessionID>

Files are used to create policy registry settings under:• Per-Computer → HKLM\Software\Policies\Citrix

• Per-User → HKLM\Software\Policies\Citrix\<SessionID>\User

© 2014 Citrix. Confidential.9

Citrix Group Policy ArchitectureData Files – Rollback

We needed a way to remove RSOP settings

Mechanism creates a Rollback.gpf file

Contains instructions to remove existing RSOP settings

These binary files are cached in: • Per-Computer → %PROGRAMDATA%\CitrixCseCache

• Per-User → %PROGRAMDATA%\CitrixCseCache\<SessionID>

© 2014 Citrix. Confidential.10

Citrix Group Policy ArchitectureCitrix Policy Filters

Allows granular control of Citrix policies

Filters policy settings based on certain criteria

Different options based on the policy category

Can’t be applied to the default Unfiltered policy

© 2014 Citrix. Confidential.11

Policy FiltersComputer Policies

© 2014 Citrix. Confidential.12

Policy FiltersUser Policies

Additional filter types

For User Policies

© 2014 Citrix. Confidential.13

Citrix Group Policy ArchitectureUnfiltered Policy and Templates

There’s a default Unfiltered policy (contains no settings)

Unfiltered policy settings apply to all objects

Can be disabled if not needed (set to lowest priority)

There are pre-configured policy Templates in place

Templates grouped by end user connectivity (WAN, LAN)

Policies created can be saved as templates

Should be exported to complete the backup process

© 2014 Citrix. Confidential.14

Policy ManagementXenApp 6.x - XenDesktop 5.x

Separate

Computer and User

Policy Nodes

© 2014 Citrix. Confidential.15

Policy ManagementXenApp\XenDesktop 7.x

Single Policy Node

© 2014 Citrix. Confidential.16

Citrix Group Policy ArchitectureCitrix Policy Update Intervals

For Citrix farm policies setup via AppCenter\Studio:• Citrix policies for Computer and Users (logged in) refresh every 90 minutes

For Citrix Policies set via AD GPO:• Leverages AD refresh interval (default is 90 minutes plus a random offset of 0-30 minutes)

• AD refresh interval can also be set via AD GPO

For either method:• Computer Policies update at machine startup

• User Policies will also be updated during a reconnect to an active or disconnected session

• Policies can be updated manually by running: gpupdate /force

© 2014 Citrix. Confidential.17

User Policy Application (Similar for Computer)

WinLogonClient Side

Extensions

Microsoft

CSECitrix CSE

AD

GPO

Local

GPO

Resultant

Policy

RSOP.GPF

Local

server

Registry

Farm or

Studio

GPO

Citrix CSE

HKLM\Software\Polices\Citrix\ (Computer)

-or-

HKLM\Software\Polices\Citrix\<SessionID>\User

© 2014 Citrix. Confidential.18

Policy Application Details

Load existing

Rollback.gpf

Rollback.gpf

Registry%PROGRAMDATA%\Citrix\GroupPolicy (Computer)

-or-

%PROGRAMDATA%\Citrix\GroupPolicy\<SessionID> (User)

Apply

RSOP

RSOP.gpf

Delete

Cached

GPF files

RSOP.gpf

Rollback.gpf

Registry

Cache

new files

RSOP.gpf

Rollback.gpf

Set time in

LastUpdate

Under Events

Registry Area

Rollback.gpf

© 2014 Citrix. Confidential.19

Policy Application Details

Set time in

LastUpdate

Under Events

Registry Area

All Done!

Recommended Practices - TipsBased on Citrix Support cases

20

© 2014 Citrix. Confidential.21

Recommended PracticesArchitecture

While supported, using both AD and Farm\Studio

Citrix policies may cause confusion when

troubleshooting issues• Try to use one type or the other depending upon requirements

Using WMI filters on AD GPO’s containing Citrix

policies may cause issues during reconnects (due to

WMI\AD timeouts)• Use WMI filters sparingly

• Possible mitigation: using DisableGPCalculation setting

© 2014 Citrix. Confidential.22

Recommended Practices Document Policies

For Farm (AppCenter\Studio) applied policies:• Written document\spreadsheet (Scout can provide as well)

For Active Directory applied policies:• Use the GPMC Save Report option on your AD GPO

For either of the above:• CtxCseUtil – RSOP reporting tool

• Export using Citrix Group Policy PowerShell module

© 2014 Citrix. Confidential.23

Recommended PracticesWhat Not To Do!

To prevent Citrix Group Policy consistency issues,

don’t manually manipulate\remove any of the Citrix

Group Policy data files on your own

This includes files\folders or reg entries under: • %PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>

• %PROGRAMDATA%\Citrix\GroupPolicy

• HKLM\Software\Policies\Citrix\<SessionID>

• HKLM\Software\Policies\Citrix

Might be needed for certain fixes (LA5051)

Troubleshooting Citrix Group Policy

© 2014 Citrix. Confidential.25

Troubleshooting Citrix Group Policy Recommended Approach

Know your Baseline\Collect the Details

Determine Versions

Policy Cache

GPF Files

RSOP Registry Settings

Connection Information

Data Collection Tools

© 2014 Citrix. Confidential.26

Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue?

What issue are they seeing?

Tokyo

Chicago

Miami

© 2014 Citrix. Confidential.27

Troubleshooting Citrix Group Policy Baseline and Collect Details – The Four W’s

Make sure you can answer the following:

Who is seeing the issue?

What issue are they seeing?

When are they seeing the issue?

Where are they seeing the issue?

New Session?

Reconnecting?

Smooth Roaming?

All of the Above?

© 2014 Citrix. Confidential.28

Troubleshooting Citrix Group Policy Determine Versions

What version am I at??

© 2014 Citrix. Confidential.29

Troubleshooting Citrix Group PolicyDetermine CSE Version

Look in the component directory

Check CitrixCseEngine.exe

© 2014 Citrix. Confidential.30

Troubleshooting Citrix Group PolicyDetermine GPMC Version

© 2014 Citrix. Confidential.31

Product Versions - ReferenceXenApp 6.x and XenDesktop 5.x – Baseline (Updated)

Version Citrix GPMC Citrix CSE

XenApp 6.0 1.0 1.0

XenApp 6.5 &

XenDesktop 5.6 1.5 (1.7) 1.5 (1.7)

© 2014 Citrix. Confidential.32

Product Versions - ReferenceXenApp and XenDesktop 7.x – Baseline

Version Citrix GPMC Citrix CSE

7.1 2.1 2.1

7.5 2.2 2.1

7.6 2.4 2.4

© 2014 Citrix. Confidential.33

Policy CacheActive Directory Policies

Seeing {GUID} in the filename = AD GPO

The 0 here denotes User policy settings

The 1 here denotes a Computer policy

© 2014 Citrix. Confidential.34

Policy CacheActive Directory Policies We have a match!!

We have a match!!

© 2014 Citrix. Confidential.35

Policy CacheFarm\Studio Policies

Lack of {GUID} = Farm policies

© 2014 Citrix. Confidential.36

GPF filesPer-Computer files

Per-User files

SessionID = 2

© 2014 Citrix. Confidential.37

RSOP Registry SettingsPer-Computer (HKLM\Software\Policies\Citrix)

© 2014 Citrix. Confidential.38

RSOP Registry SettingsPer-User (HKLM\Software\Policies\Citrix\<SessionID>)

© 2014 Citrix. Confidential.39

Connection Information

© 2014 Citrix. Confidential.40

Connection DetailsHKLM\Software\Citrix\ICA\Session

© 2014 Citrix. Confidential.41

Troubleshooting Tools - CtxCseUtilCitrix RSOP Report Tool

Creates resultant set of policies report containing user settings, computer or both

Can be run locally or remotely against a server or VDA

Converts RSOP.gpf to HTML report

End user has to have logged in at some point

End user doesn’t have to be actively logged in

© 2014 Citrix. Confidential.42

Troubleshooting Tools - CtxCseUtilCommon Errors

Typical error when first run…

Solution: Run WinRm QuickConfig

© 2014 Citrix. Confidential.43

Troubleshooting Tools - CtxCseUtilCtxCseUtil - Common Errors

Help Message.docx

Possible using Local Administrator Account?

© 2014 Citrix. Confidential.44

Once run, resultant report is: CitrixRsopResult.html

Resultant Report - CitrixRsopResult.html

Troubleshooting Tools - CtxCseUtil

© 2014 Citrix. Confidential.45

Citrix Group Policy PowerShell ModuleCitrix.GroupPolicy.Commands.psm1

Module containing cmdlets for Citrix Policies• Local, Farm or Active Directory

Needs to be imported via PowerShell prompt

Contains cmdlets to:• Set or Get Citrix policy settings

• Export or Import Citrix policy objects

Policy Details Imported\Exported:• Policy Settings

• Configuration Details

• Filters

© 2014 Citrix. Confidential.46

Citrix Group Policy PowerShell ModuleExporting Farm Policies

GET-COMMAND output

© 2014 Citrix. Confidential.47

Citrix Group Policy PowerShell ModuleExporting Farm Policies

Once completed, these are your files

Export the policies

© 2014 Citrix. Confidential.48

Use the same PowerShell Module and cmdlets

Connect to Active Directory GPO via New-PSDrive cmdlet

See CTX140039 for the details

Citrix Group Policy PowerShell ModuleExporting Citrix Policies from Active Directory

© 2014 Citrix. Confidential.49

CDFControlCDF Tracing Tool

© 2014 Citrix. Confidential.50

Farm\Studio Policy Issue

Farm policies stored in a single object

Likely related to corrupt policy

Error seen when accessing policies

Don’t restore datastore\database

Contact Citrix Technical Support

Maintain an updated policy export!!

© 2014 Citrix. Confidential.51

WMI Related IssuesReconnect Issues

If using WMI Filters on AD GPO’s, might see reconnect issues• Citrix policies not applying for reconnected sessions

• Logins\Reconnects taking long time to occur (does the issue resolve itself after some time?)

Enable Microsoft Group Policy logging:• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\

"GPSvcDebugLevel"=dword:00030002

Log file will be in:• %WINDIR%\debug\usermode\gpsvc.log

• If you see FilterCheck: Evaluate returned error. hr=0x80041069, AD is timing out on WMI call

Look in Event Viewer as well for WMI errors

© 2014 Citrix. Confidential.52

Takeaways

Architecture and files related to Citrix Group Policy

How Citrix policies apply during user login (computer too)

Recommended practices

Troubleshooting methods and tools

Documenting and backing up your policies is important!!

ResourcesLinks related to Citrix Group Policy

53

© 2014 Citrix. Confidential.54

ResourcesCitrix Documentation Links

Citrix Product Documentation Site (eDocs)

Manage Citrix Policies (XenDesktop\XenApp 7.5)

Working with Citrix Policies (XenApp 6.5)

Policy Settings Reference (XenApp 6.5)

© 2014 Citrix. Confidential.55

Resources

CTX140268 - Citrix policy settings not being displayed properly in newer Citrix

Group Policy Management Console

CTX127611 - How Citrix IMA Policies fit in to Microsoft GPO Processing and

Precedence Model

CTX138537 – HRP02 for Citrix XenApp 6.5 (for DisableGPCalculation setting)

CTX130116 - Case Study: Unable to Apply Citrix Policies because of 0kb gpf Files

CTX134081 - Planning Guide - Citrix XenApp and XenDesktop Policies

© 2014 Citrix. Confidential.56

ResourcesGroup Policy Tools

CTX140267 - Updated Citrix Group Policy PowerShell Module

CTX138533 - Citrix Policy Reporter - RSOP CtxCseUtil Tool

CTX140039 - How to Import and Export Policies in XenApp 6.x

CTX111961 – CDFControl

CTX130147 – Citrix Scout

MS TechNet – Group Policy Cmdlets for PowerShell

MS TechNet Blog – Enabling Group Policy Logging using RSAT

Questions and Wrap-Up

© 2014 Citrix. Confidential.58

Questions?

© 2014 Citrix. Confidential.59

Simplify your journey, let us guide you.

Accelerate your implementation and minimize risk by taking advantage of Citrix

Consulting. You’ll get the expertise of certified Citrix Consulting Architects to

successfully deploy Citrix solutions in any phase of your project.

Visit bit.ly/CTXConsulting to learn more about our proven methodology.

53% of customers have seen a

return on investment with Citrix

Consulting in 6 months or less.

© 2014 Citrix. Confidential.60

Build your Citrix skills in your personal virtual sandbox

Play in your own Virtual Sandbox with Learning Labs from Citrix Education. With

your purchase, you’ll receive your own dedicated server with access to the seven

most popular Learning Labs from Synergy. Featured labs include:

• NetScaler, the Enterprise Security Swiss Army Knife

• Front-Ending and Load Balancing XenDesktop and XenApp with NetScaler

• Enhancing Visibility of Applications with NetScaler Insight Center

http://training.citrix.com/cms/education/promotions/learninglabs/

© 2014 Citrix. Confidential.61

Get access to Synergy 2014 Learn Labs for FREE

Offer: Buy a qualifying Citrix Training Pass and

receive 30 days of free access to the most

popular Learning Labs from Synergy 2014.

Purchase now

© 2014 Citrix. Confidential.62

New Citrix Practice ExamsAccelerate Your Path to Certification

Available on training.citrix.com ($39 each):

CPE-350 – Citrix NetScaler 10 Essentials and

Networking Practice Exam

CPE-300 – Deploying XenDesktop 7 Solutions Practice

Exam

CPE-A22 – Citrix XenApp 6.5 Advanced Administration

Practice Exam

http://training.citrix.com/cms/index.php/promotions/prac

ticeexams/

© 2014 Citrix. Confidential.63

Most popular Learning Labs from Synergy ’14

7 lab environments totaling 30+ hours of exercises

30 days of access on a dedicated server

Self-paced online labs with minimal instruction

Free with purchase of a 5-day CTP through 12/31

Learning Labs$500

Q4 PROMOTION

© 2014 Citrix. Confidential.64

WORK BETTER. LIVE BETTER.