When the Logon Mode of XenApp 6.x server is changed from Enabled (default) to Disabled, it is effective only for a short period of time. Eventually, the mode reverts to Enabled or Allowed.

Background

When you run a CHANGE LOGON /QUERY command on the server, the message “Connections are currently ENABLED by Group Policy for this machine, unable to change.” appears.

XenApp uses a secondary mechanism to disable logon sessions using the datastore. When you disable logon sessions through a XenApp management console, the console disables the server from load balancing according to the mode selected. Run the QFARM /LOAD command, to view this behavior:

When the next policy is processed, XenApp inherits the value stored in the computer registry, which the registry gets from the GPO that allows connections.
Run the QFARM /LOAD command; it displays the Logon Mode of AllowLogons:

In this configuration, it can consistently connect using the RDP. This is because the XenApp management console cannot modify the Windows logon mode. XenApp can only affect load balancing.

Workaround

Problem Cause

If you use a Microsoft Group Policy Object (GPO) to enable Remote Desktop Session Host connections as shown in the following screen shot, then the logon mode is re-enabled when the next policy is processed:
Note: The policy is processed by default every 90 minutes, or manually through GPUPDATE.



When the next policy is processed, XenApp inherits the value stored in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections. The registry key gets the value from the GPO that allows connections.

Microsoft Article ID: 2083411 Remote Desktop sessions may be disconnected during Group Policy updates in Windows Server 2008
Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
CTX133933 – XenApp 6.x Logon Sessions are Repeatedly Disabled