When the Logon Mode of XenApp 6.x server is changed from Enabled (default) to Disabled, it is effective only for a short period of time. Eventually, the mode reverts to Enabled or Allowed.
When you run a CHANGE LOGON /QUERY command on the server, the message “Connections are currently ENABLED by Group Policy for this machine, unable to change.” appears.
XenApp uses a secondary mechanism to disable logon sessions using the datastore. When you disable logon sessions through a XenApp management console, the console disables the server from load balancing according to the mode selected. Run the QFARM /LOAD command, to view this behavior:
When the next policy is processed, XenApp inherits the value stored in the computer registry, which the registry gets from the GPO that allows connections.
Run the QFARM /LOAD command; it displays the Logon Mode of AllowLogons:
In this configuration, it can consistently connect using the RDP. This is because the XenApp management console cannot modify the Windows logon mode. XenApp can only affect load balancing.
If you use a Microsoft Group Policy Object (GPO) to enable Remote Desktop Session Host connections as shown in the following screen shot, then the logon mode is re-enabled when the next policy is processed:
Note: The policy is processed by default every 90 minutes, or manually through GPUPDATE.
When the next policy is processed, XenApp inherits the value stored in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections. The registry key gets the value from the GPO that allows connections.