AD Group Policy vs Citrix Policies

Posted on 2013-10-18
Medium Priority
Last Modified: 2013-11-05
Does anyone have input on using windows group policy vs Citrix policies.  I am specifically looking for information on which one is better for performance in XenApp 6.5.  Will using one over the other affect performance (ex:logins) ?  I did some research on my own and did not finding anything on it.  I was thinking that performance would be the same whichever one you use but wanted to reach out to the experts to get some input.  Please let me know what you think.
Question by:WestCoastbound
LVL 45

Expert Comment

ID: 39583347
My citrix admin regularly asked me to create GPO for Citrix requirement. So, If you ask me from my experience. GPO is the answer. However, you can explore Citrix policy as well, as it is from same vendor.

Author Comment

ID: 39583372
hi Amit,

thanks for your response, but I am just wondering if one strategy is better for performance.  For example, will logons be faster if you just use Citrix Policies or does is not make a difference which one you choose.
LVL 45

Expert Comment

ID: 39583425
I haven't explored citrix policy, so cannot comment on the performance part. However, you can setup one test lab and test it. I hardly think you will get the performance issue.
LVL 10

Expert Comment

by:Casey Herman
ID: 39583771
To be completely honest.. I had all my policies in Citrix GPO at one point. Once you do this things will start to come to a screeching halt. Mainly printers assigned via citrix policy were the problem.

We have 120 different printer polices for all our remote sites.  Plus the config polices for the servers themselves.

At first it was ok as we added more and more polices we started to have policy related issues.  

So I highly recommend if you are using a lot of polices to do 90% of them within windows GPO.  

You can use the Citrix ADM plugins to get to the citrix polices (IE assign printers).  

USB drive polices and drive map through polices you can do in appcenter.

Drive mappings and such I would still use windows GPO..

Just my 2 cents

LVL 37

Accepted Solution

Carl Webster earned 2000 total points
ID: 39599014
This will be the typical "consultant" answer: It Depends.

In some places, the Citrix Admins will not have access to AD so they cannot use AD based policies.  Also, there are places that forbid the use of GPOs because of the change management overhead.

IMA based policies will usually be under the control of the Citrix admins and usually have no change control mgmt. (unfortunately).

I did some work for a place where they had over 1000 GPOs JUST for assigning printers!!!

As far as login times, MANY MANY things can affect login times.  I have seen badly written computer startup scripts, user login scripts, printer policies, GPOs with many hundreds of settings, improperly created mandatory profiles, bad folder redirection policies - you name it I have seen it.  They all can negatively impact login times.

YOU are the only one who can fix this.  YOU have to understand what is involved when a user logs in.

AD based policies will be under the replication control of AD and FRS or DFS-R and will have multiple retrieval sources (i.e. the policies exist on more than one domain controller in SYSVOL).

IMA Based policies are cached in the Local Host Cache file on every XenApp Server.  If the data store becomes unavailable, users will still get the IMA based policies.

Have you seen these from Citrix:



Also, if you use any of the settings on the Remote Desktop Services Profile tab in Active Directory Users & Computers, you disable logon optimization and will revert back to legacy logon handling.

Like I said, there are LOTS of things that impact a user's logon experience besides whether to use AD or IMA based policy.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question