Logon Mode of a XenApp 6.x Server Reverts to "Allowed"

Logon Mode of a XenApp 6.x Server Reverts to "Allowed"

book

Article ID: CTX134641

calendar_today

Updated On:

Description

When the Logon Mode of XenApp 6.x server is changed from Enabled (default) to Disabled, it is effective only for a short period of time. Eventually, the mode reverts to Enabled or Allowed.

Background

When you run a CHANGE LOGON /QUERY command on the server, the message “Connections are currently ENABLED by Group Policy for this machine, unable to change.” appears.

XenApp uses a secondary mechanism to disable logon sessions using the datastore. When you disable logon sessions through a XenApp management console, the console disables the server from load balancing according to the mode selected. Run the QFARM /LOAD command, to view this behavior:
User-added image
When the next policy is processed, XenApp inherits the value stored in the computer registry, which the registry gets from the GPO that allows connections.
Run the QFARM /LOAD command; it displays the Logon Mode of AllowLogons:
User-added image
In this configuration, it can consistently connect using the RDP. This is because the XenApp management console cannot modify the Windows logon mode. XenApp can only affect load balancing.

Resolution

Workaround

Do not use Group Policy to enable Remote Desktop Connections. You can enable the connections either by using the Remote Desktop options in the System Properties of the server Start > Run > sysdm.cpl > Remote tab or use a custom ADM template to set the registry value fDenyTSConnections described in Microsoft Article ID: 2083411 Remote Desktop sessions may be disconnected during Group Policy updates in Windows Server 2008.

Problem Cause

If you use a Microsoft Group Policy Object (GPO) to enable Remote Desktop Session Host connections as shown in the following screen shot, then the logon mode is re-enabled when the next policy is processed:
Note: The policy is processed by default every 90 minutes, or manually through GPUPDATE.
User-added image


When the next policy is processed, XenApp inherits the value stored in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections. The registry key gets the value from the GPO that allows connections.

Issue/Introduction

When the Logon Mode of XenApp 6.x server is changed from Enabled (default) to Disabled, it is effective only for a short period of time. Eventually, the mode reverts to Enabled or Allowed.

Additional Information

Microsoft Article ID: 2083411 Remote Desktop sessions may be disconnected during Group Policy updates in Windows Server 2008
Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
CTX133933 – XenApp 6.x Logon Sessions are Repeatedly Disabled