Solved

Citrix policies priorities

Posted on 2015-01-15
5
439 Views
Last Modified: 2015-01-21
I have done some readings about Citrix policies, but I believe from one version to another there is difference.

-- Regarding Citrix policies , it is been always the lower priority wins , example policy 0 overrides policy 1, policy 1 overrides policy 2
and it is still the same for newer versions of Citrix. Correct ?

-- Regarding citrix policies applied through Active Directory GPMC. It used to be an import of a citrix .adm template to AD templates. in recent versions of Citrix, I believe Citrix will install GPMC during Xenapp install. So, does that mean there is no need to import .adm template to Active Directory.

-- Now if I import the citrix .adm template to Active Directory(GPMC) and configure policy settings there OR I configure a policy in GPMC that is included with CItrix Xenapp install OR I configure a policy using policy console that is in Xenapp Appcenter  console... which of the policy settings will override the other ?

Thank you

--
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 36

Assisted Solution

by:Carl Webster
Carl Webster earned 334 total points
ID: 40551054
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-article.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-intro.html
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-policies-prioritize-model.html

"Policy processing order and precedence

Group policy settings are processed in the following order:
1.Local GPO
2.XenApp or XenDesktop Site GPO (stored in the Site database)
3.Site-level GPOs
4.Domain-level GPOs
5.Organizational Units

However, if a conflict occurs, policy settings that are processed last can overwrite those that are processed earlier. This means that policy settings take precedence in the following order:
1.Organizational Units
2.Domain-level GPOs
3.Site-level GPOs
4.XenApp or XenDesktop Site GPO (stored in the Site database)
5.Local GPO
"

"You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings. "

The only ADM template I know of that was imported was the ICAClient.adm file.

If you wanted to manage Citrix policies within AD (Citrix preference) you had to install the Citrix Group Policy Management module onto a computer, server or Domain Controller.
0
 

Author Comment

by:jskfan
ID: 40551177
so in newer version, the highest priority policy wins ?
install the Citrix Group Policy Management module
where do you get that from ?
Which policy wins the one applied through GPMC or the one applied straight from Appcenter ?
0
 
LVL 36

Accepted Solution

by:
Carl Webster earned 334 total points
ID: 40551193
That is explained in the previous post.  Anything done thru GPMC is an AD policy so it would be a Site, Domain or OU policy based on what level in AD you linked it.

Local GPO is applied first
XD or XA farm/site policy is applied next
AD policies are applied next

XA or XD policies override local policies
Site level AD policies override XA or XD policies
Domain level AD policies override Site policies
OU policies override Domain policies (except for some password settings & depending on DFL and FFL)

The Citrix GP mgmt module is on the install media.

x64\Citrix Policy\CitrixGroupPolicyManagement_x64.msi or
x86\Citrix Policy\CitrixGroupPolicyManagement_x86.msi
0
 
LVL 3

Assisted Solution

by:Barry Molenwijk
Barry Molenwijk earned 166 total points
ID: 40551308
Within the Citrix policies themselves, as far as I know, lowest priority still wins. It is however true that a setting configured in a Citrix policy will be overruled by a Domain GPO if a conflict occurs.
0
 

Author Closing Comment

by:jskfan
ID: 40563424
Thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question