Solved

Citrix policies priorities

Posted on 2015-01-15
5
387 Views
Last Modified: 2015-01-21
I have done some readings about Citrix policies, but I believe from one version to another there is difference.

-- Regarding Citrix policies , it is been always the lower priority wins , example policy 0 overrides policy 1, policy 1 overrides policy 2
and it is still the same for newer versions of Citrix. Correct ?

-- Regarding citrix policies applied through Active Directory GPMC. It used to be an import of a citrix .adm template to AD templates. in recent versions of Citrix, I believe Citrix will install GPMC during Xenapp install. So, does that mean there is no need to import .adm template to Active Directory.

-- Now if I import the citrix .adm template to Active Directory(GPMC) and configure policy settings there OR I configure a policy in GPMC that is included with CItrix Xenapp install OR I configure a policy using policy console that is in Xenapp Appcenter  console... which of the policy settings will override the other ?

Thank you

--
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 36

Assisted Solution

by:Carl Webster
Carl Webster earned 334 total points
Comment Utility
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-article.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-intro.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-prioritize-model.html

"Policy processing order and precedence

Group policy settings are processed in the following order:
1.Local GPO
2.XenApp or XenDesktop Site GPO (stored in the Site database)
3.Site-level GPOs
4.Domain-level GPOs
5.Organizational Units

However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed earlier. This means that policy settings take precedence in the following order:
1.Organizational Units
2.Domain-level GPOs
3.Site-level GPOs
4.XenApp or XenDesktop Site GPO (stored in the Site database)
5.Local GPO
"

"You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings. "

The only ADM template I know of that was imported was the ICAClient.adm file.

If you wanted to manage Citrix policies within AD (Citrix preference) you had to install the Citrix Group Policy Management module onto a computer, server or Domain Controller.
0
 

Author Comment

by:jskfan
Comment Utility
so in newer version, the highest priority policy wins ?
install the Citrix Group Policy Management module
where do you get that from ?
Which policy wins the one applied through GPMC or the one applied straight from Appcenter ?
0
 
LVL 36

Accepted Solution

by:
Carl Webster earned 334 total points
Comment Utility
That is explained in the previous post.  Anything done thru GPMC is an AD policy so it would be a Site, Domain or OU policy based on what level in AD you linked it.

Local GPO is applied first
XD or XA farm/site policy is applied next
AD policies are applied next

XA or XD policies override local policies
Site level AD policies override XA or XD policies
Domain level AD policies override Site policies
OU policies override Domain policies (except for some password settings & depending on DFL and FFL)

The Citrix GP mgmt module is on the install media.

x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi or
x86\Citrix Policy\CitrixGroupPolicyManagement_x86.msi
0
 
LVL 3

Assisted Solution

by:Barry Molenwijk
Barry Molenwijk earned 166 total points
Comment Utility
Within the Citrix policies themselves, as far as I know, lowest priority still wins. It is however true that a setting configured in a Citrix policy will be overruled by a Domain GPO if a conflict occurs.
0
 

Author Closing Comment

by:jskfan
Comment Utility
Thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now