Solved

Citrix policies priorities

Posted on 2015-01-15
5
398 Views
Last Modified: 2015-01-21
I have done some readings about Citrix policies, but I believe from one version to another there is difference.

-- Regarding Citrix policies , it is been always the lower priority wins , example policy 0 overrides policy 1, policy 1 overrides policy 2
and it is still the same for newer versions of Citrix. Correct ?

-- Regarding citrix policies applied through Active Directory GPMC. It used to be an import of a citrix .adm template to AD templates. in recent versions of Citrix, I believe Citrix will install GPMC during Xenapp install. So, does that mean there is no need to import .adm template to Active Directory.

-- Now if I import the citrix .adm template to Active Directory(GPMC) and configure policy settings there OR I configure a policy in GPMC that is included with CItrix Xenapp install OR I configure a policy using policy console that is in Xenapp Appcenter  console... which of the policy settings will override the other ?

Thank you

--
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 36

Assisted Solution

by:Carl Webster
Carl Webster earned 334 total points
ID: 40551054
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-article.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-intro.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-prioritize-model.html

"Policy processing order and precedence

Group policy settings are processed in the following order:
1.Local GPO
2.XenApp or XenDesktop Site GPO (stored in the Site database)
3.Site-level GPOs
4.Domain-level GPOs
5.Organizational Units

However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed earlier. This means that policy settings take precedence in the following order:
1.Organizational Units
2.Domain-level GPOs
3.Site-level GPOs
4.XenApp or XenDesktop Site GPO (stored in the Site database)
5.Local GPO
"

"You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings. "

The only ADM template I know of that was imported was the ICAClient.adm file.

If you wanted to manage Citrix policies within AD (Citrix preference) you had to install the Citrix Group Policy Management module onto a computer, server or Domain Controller.
0
 

Author Comment

by:jskfan
ID: 40551177
so in newer version, the highest priority policy wins ?
install the Citrix Group Policy Management module
where do you get that from ?
Which policy wins the one applied through GPMC or the one applied straight from Appcenter ?
0
 
LVL 36

Accepted Solution

by:
Carl Webster earned 334 total points
ID: 40551193
That is explained in the previous post.  Anything done thru GPMC is an AD policy so it would be a Site, Domain or OU policy based on what level in AD you linked it.

Local GPO is applied first
XD or XA farm/site policy is applied next
AD policies are applied next

XA or XD policies override local policies
Site level AD policies override XA or XD policies
Domain level AD policies override Site policies
OU policies override Domain policies (except for some password settings & depending on DFL and FFL)

The Citrix GP mgmt module is on the install media.

x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi or
x86\Citrix Policy\CitrixGroupPolicyManagement_x86.msi
0
 
LVL 3

Assisted Solution

by:Barry Molenwijk
Barry Molenwijk earned 166 total points
ID: 40551308
Within the Citrix policies themselves, as far as I know, lowest priority still wins. It is however true that a setting configured in a Citrix policy will be overruled by a Domain GPO if a conflict occurs.
0
 

Author Closing Comment

by:jskfan
ID: 40563424
Thanks
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now