In the previous post which you can find here I covered the Citrix Computer Policies you needed to apply to your XenApp application servers in order for them to pick up licenses from your designated Citrix license server. You can also read how I created separate GPOs for ease of management and troubleshooting here. In this post I am going to cover the application and management of both Citrix User and Computer policies.
Just to refresh your memory for this environment the WindowsServers GPO contains Windows Server policies, WindowsUsers contains Windows User policies, XenAppServers contains Citrix Server policies and finally XenAppUsers contains Citrix user policies.
In turn all four GPOs are applied to the Active Directory OU in which you should have placed your Xenapp Application servers.
While it won’t matter in this scenario as it is a small test environment I would also recommend disabling user configuration settings for the WindowsServers and XenAppServers GPOs. You won’t (or at least shouldn’t) be creating user policies in either GPO. Changing this setting will speed up their implementation at login time and improve the user experience. (Believe me if you ever work in Citrix Administration user login times will become the bane of your existence)
It can be changed under the Details tab of both the WindowsServers and XenAppServers GPOs.
Note: You don’t want to disable Computer configuration for the WindowsUsers and and XenAppUsers GPOs as this would prevent Group Policy Loopback Processing from occurring. As you can see below loopback processing is a Computer Policy so if it was disabled the GPOs would not get applied for users of the environment.
The next most important advice I can give you regarding Citrix Policy implementation is READ EVERYTHING you can get your hands on. A good place to start is the Planning Guide – Citrix XenApp and XenDesktop Policies which can be found on the Citrix Website at http://support.citrix.com/article/CTX134081
From my earlier posts you should already know how to enable Citrix Policies in their respective GPOs be it XenAppServers or XenAppUsers. Remember you can only access the Citrix Policy Plugin in Group Policy manager from a XenApp Application Server.
We will start with XenAppServers, open Group Policy Manager from one of your XenApp Application Servers, right click and edit.
Under Group Policy Management Editor you will be able to access the Citrix Policies Plugin (again only if you are accessing from an existing XenApp Application
Server). As we are editing the XenAppServer GPO we will access the Citrix Policies Plugin under Computer Configuration.
You can see under the summary tab the existing policies that have been implemented
to pick up the Citrix License Server
Under the settings tab you can see a list of the currently applied Citrix Computer Policies by clicking on Active Settings on the left side of the window. On the left you can also see all the available policies listed via category.
Clicking on a policy heading on the left will give you a list of available policies to be applied and some information on what the policy in question does underneath. I would recommend taking your time to read the descriptions and understand what it is the policies do.
If you decide to apply a given policy click on add on the right hand side of your desired policy.
You will then see a window similar to the below, it will give you the available options of allowing or prohibiting a policy along with a description of the policy underneath in the help section. Once you have made your choice click OK or cancel if don’t want to enable the policy.
In the top half of the policy editor you will see the Unfiltered option. This is a standard out of the box setting and essentially means that all the policies enabled will be applied to the server if it is in the correct OU covered by your GPO.
By clicking on New… you will be prompted with a Wizard to create a set of policies which can be applied to a XenApp Application Server based on a filter rather than its location in an OU.
Similarly to the instructions above you can go through the available policies and choose the ones you require by clicking add before continuing on to the next step of the wizard.
On the next step of the wizard you can choose your Filter. As we are working with XenApp rather than XenDesktop the only filter we can use for Citrix Computer Policy Filtering in this scenario is Worker Group.
To digress slightly a Worker Group is a logical grouping of XenApp Servers that you can create in Citrix AppCentre by right clicking on the Worker Groups folder and clicking on Create worker group.
You can then give your Worker Group a relevant name and description and click on Add.. on the bottom left to add the XenApp Application Servers you want the filtered set of policies to apply to.
When you choose the Farm Servers option as per the screen shot above and click on Add.. you will be presented with your server list. You can add specific servers or all of them as your case requires. Once you have chosen your required servers click on ok
Now that you have created your worker group we can go back to applying the Worker Group Filter. In the Policy wizard click on Add to the right of the Worker Group Filter option.
You will then need to add the Filter by clicking on Add.. (appropriately enough)
As you will most likely want the filter to apply to servers in the Worker Group leave the default Mode Allow and leave ‘Enable this filter element’ ticked. Then browse for the worker group you have created.
You will see my imaginatively named Work Group test, your Worker Group will appear here once you have created it. Choose the appropriate one and click OK.
Now it is just a case of flowing the Policy Wizard through to its conclusion. You will then see the policy filter you created in the list below Unfiltered.
With regards to using a Filter for Citrix Computer Policies as above: if you have a subset of XenApp Application Servers that need additional policies I prefer to create a Sub-OU underneath the XenApp Servers OU as below and add the required XenApp Application Servers into it.
I would then create a Sub-GPO and apply whatever additional Citrix Computer Policies were required and allow Group Policy Inheritance to take care of it for me.
Again this is a personal choice as I just find it easier to troubleshoot and figure out what’s happening this way when something goes wrong. You may wonder why I showed you the whole procedure if I don’t use it?
I find Worker Group Filtering useful if you have a particular XenApp Application server or servers that you do not want your Citrix Computer polices applied to but at the same time you do not want to remove it from the XenServers OU. You can then use the filtering procedure above to allow or deny the required policies. Other people may be different but I rarely if ever have had to have a XenApp Application server which requires my regular set of unfiltered policies denied to it unless I am testing or troubleshooting a problem.
The procedure for enabling Citrix User policies is practically identical to the above. Remember as you are now going to be adding and enabling Citrix user policy you will need to edit the XenAppUsers GPO.
Click on the Citrix Policies Plugin underneath User Configuration, as with the Citrix Computer Policies you will see the summary of Policies already applied.
Underneath the settings tab you can see the Active settings and choose from the policy sub headings on the left hand pane. As per my advice for the Citrix Computer Policies I would recommend going through the policies and understanding the ones you would like to apply. You can read about them in the Citrix documentation and the help section for each policy gives a useful synopsis
When you want to add a Citrix User policy click on Add on the right hand side of the policy.
As before you will see your available options for the policy, click ok to enable it or cancel if you change your mind and do not want to apply it.
The wizard for filtering policies is also pretty much identical, as with the computer policies click on New…
The main difference to the Citrix Computer Policy are the filtering options. You can read the various filtering options in the help section at the bottom of the wizard similarly to the policy help section.
For Citrix User policies the most common Filter I would use would be the User or Group for XenApp Farm Administrators. You do not want the more restrictive Citrix User policies affecting administrative staff or super users. Once you click add next to the filter you can then browse for an Active Directory Group of your choice.
Unlike with Citrix Computer Policies I would use Filtering quite a bit for Citrix User Policies. Mainly for the reason that there will always be users with different requirements as far as policy is concerned. For example some users may have a requirement to map their local client drives in the Citrix environment to access certain files and folders while it may be preferable to lock down this setting for other users.
I do not use GPOs in this case as I do not want to apply any Citrix related GPOs to the OUs of users who may also be logging into regular desktops. Using filtering allows me to granularly apply policies to users of the XenApp environment while not having any effect on settings outside it.
For both your Citrix User and Computer Policies you can then set the priority of the policies you have created by clicking on your chosen option and choosing the higher or lower option.
The documentation from Citrix below explains policy priority:
In a nutshell if set a filter to deny a policy configuration to a XenApp Server or User make sure you increase its priority. If the Unfiltered Policy is left at number 1 priority and the settings conflict with a Policy Filter you have created then the highest priority will always win.
You will have noticed I have not been as specific in my instructions for this post on Citrix Policy as I have been for previous posts. The reason for that is that I don’t believe anyone should blindly apply policies (be it Citrix or Windows) without first making the effort to understand what they are doing. I hope that the post above gives you the know how to play around with the settings and fully understand what the policies do and how they are applied.
For information on what policies to apply read the documentation already mentioned. Also have a read of this blog entry on creating a baseline policy. http://blogs.citrix.com/2012/07/26/citrix-policies-creating-a-baseline-policy/
I also found this blog post by Alexander Ervik really useful. http://www.ervik.as/citrix/xenapp/3920-citrix-policies-best-practices-for-xenapp-6-5-and-xendesktop-5-6 (He is also worth following on Twitter @ervik)
Again I can’t stress enough that Citrix policy implementation is very individual and can change from environment to environment so the best advice I can give you is read as much as you can and make an informed choice. The power is in your hands!