Issues Using Active Directory Policies with XenDesktop
Article ID: CTX127461
Updated On:
Description
Issues using Active Directory Policies with XenDesktop.
Background
This article describes issues you might experience when using Active Directory policies with XenDesktop.You can configure Citrix policies for virtual desktops using either Desktop Studio, with policy rules saved in the XenDesktop site database, or the Group Policy Management Console, with policy rules saved in Active Directory.
You might experience the following issues when using the Active Directory Group Policy Management Console to create and configure Citrix policies.
These issues, along with examples and workarounds, are described in the following section.
Environment
Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
Resolution
Issue 1
Applies to:- XenDesktop 5 through 5.6 Feature Pack 1 (Windows XP virtual desktops only)
- XenDesktop 7 (legacy Windows XP virtual desktops only)
Note: This issue does not occur if you are using the Group Policy Management Console Security Filtering mechanism to apply policies to individual users or if you use the default Authenticated Users group for filtering.
Background
If you are using the Group Policy Management Console to create and apply Citrix policies, Machine policies are not applied if you create filters using the built-in Security Filtering mechanism.
Example:
Complete the following steps to create a new Group Policy Object called TestGPO and apply policies for that GPO to a single user and single virtual desktop:
- Open the Group Policy Management Console and create a new GPO called TestGPO.
- On the Scope tab, remove the default Authenticated Users group and any other entries in the Security Filtering pane.
- Add new entries for both the user account and virtual desktop to which you want the policies to apply in the Security Filtering pane.
- Create two Citrix policies: one under the Computer Configuration node and one under the User Configuration node, and add a number of settings to each policy.
- Start a connection to the virtual desktop and log on using the user account you specified in Step 3.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Implications
If you use the Group Policy Management Console Security Filtering mechanism to define filters for Citrix Machine policies, those policies are not applied as expected. This might result in users gaining access to functionality you did not intend.Resolution
As a workaround, you can create machine policies using Desktop Studio and apply those policies to specific user groups, virtual desktop groups, or individual virtual desktops with specific desktop tags, using the built-in Citrix filters provided.Issue 2
Applies to XenDesktop 5 only.You cannot configure an Active Directory computer policy for a GPO that already has a Citrix machine policy configured.
This issue occurs only when you create and configure Citrix machine policies before configuring Active Directory policies for the same GPO. It also occurs regardless of the method you use to create and configure Active Directory policies. Other management tools, besides the Group Policy Management Console, are affected.
Note: Citrix testing indicates that if you configure at least one setting for an Active Directory computer policy before configuring a Citrix machine policy, this issue does not occur.
Background
If you set up a GPO and configure a Citrix machine policy for that GPO, and attempt to configure an Active Directory computer policy for the same GPO, you receive an error message. You can cancel the error message and continue to add settings to the Active Directory policy. Any Active Directory policy settings you add to the GPO, however, are not applied.Note: Other management tools might display either a different error or no error at all. Any Active Directory settings you add to the GPO, however, are not applied.
Example:
You create a new GPO called TestGPO and configure a Citrix machine policy for that GPO.Complete the following steps to configure a new Active Directory policy for TestGPO to apply in conjunction with the settings configured for the existing Citrix machine policy:
-
Open the Group Policy Management Console and create a new GPO called Test GPO.
-
Create a new Citrix machine policy and add a number of settings to that policy.
-
Open the Group Policy Object Editor and in the left pane, expand Administrative Templates.
-
Add a new setting, for example, Configure Automatic Updates under Components\Windows Update.
-
Save the policy and click Continue to close the error message dialog box that appears.
Implications
If you attempt to configure an Active Directory policy for a GPO that has a Citrix machine policy configured, the new settings in the Active Directory policy are not applied to that GPO. This might lead to specific Windows security settings failing to apply to a GPO. If you fail to check the list of applicable settings for the Active Directory policy in the Group Policy Management Console, you might assume that those settings are applied through the GPO when, in fact, they are not.Resolution
As a workaround, do one of the following tasks:
Create and configure the Active Directory policy settings before you create and configure a Citrix machine policy for a GPO.
Or
Create a dedicated GPO to configure Citrix machine policies.
Issue/Introduction
This article describes issues customers might experience when using Active Directory policies with XenDesktop.
Was this article helpful?
Yes
No
Powered by
