1. Automation & Troubleshooting of Citrix Group Policy for XenApp & XenDesktop 7.x
Architecture using Windows PowerShell
Peter Brown
Hello everyone. Welcome to “Automation & Troubleshooting of Citrix Group Policy for XenApp & XenDesktop 7.x – Architecture, using Windows PowerShell. My name is Peter Brown and I’m a Senior Escalation Engineer and have been with Citrix for just over 4 years. I’m part of the Global Escalation Team that handles various complex issues for both XenApp and XenDesktop.
Group Policy can be one of those areas that can create a significant business impact to your environment, especially if you experience issues with it.
Senior Escalation Engineer
May 2015

2. Agenda
Citrix Group Policy Architecture Recommended Practices Troubleshooting Tools Citrix Group Policy PowerShell Module Managing with PowerShell Troubleshooting with PowerShell
In this session, we’re going to review
Citrix Group Policy Architecture
Recommended Practices
Troubleshooting Tools
Citrix Group Policy PowerShell Module
Managing Citrix GPO using PowerShell
Troubleshooting Citrix GPO with PowerShell

3. Citrix Group Policy Architecture
Overview of Citrix Group Policy and Components

4. Local Group Policies Citrix Site Policies Active Directory Policies
Terminology
Local Group Policies Citrix Site Policies Active Directory Policies
Let’s establish a baseline for some of the terminology we’ll be using today:
First, you can set Citrix policies via local group policies
Each server and workstation has a single group policy object and Citrix policies can be set here
Next, we have Citrix Site policies
These are also referred to as IMA or Farm policies
They are set using Studio
And are stored in the Site database
Lastly, we can set Citrix policies via Active Directory Policies
Set via Site, Domain or OU GPO’s
Stored in Active Directory
This allows for single GPO object to contain both Microsoft & Citrix policies
Managed via Group Policy Management Console (GPMC)
However, for todays presentation, I’ll be focusing on the Site and Active Directory method since these are the most common

5. Processing & Precedence of RSOP
RSOP will have
Processing
Precedence
CDM = Enabled
Active Directory OU GPO
Active Directory Domain GPO
Active Directory Site GPO
Citrix Site Policies
Next, it’s important to understand the processing and precedence order for policies. This is the order that the GPO’s are reviewed for applicable policy settings.
Here are the available GPO types where we can place Citrix policy Settings beginning with local policies
This is the processing order in which each GPO type is analyzed for applicable policy settings
Now the precedence order is opposite of this, meaning that policy settings in the higher GPO will win when there’s a conflict in settings
For example: say you have Client Drive Mapping enabled via a Citrix Policy in AD
Whereas in the local GPO you have it Prohibited, while processing policy settings, we’ll see both settings,
Due to the precedence order, the resultant set of policies will contain the winning setting from the AD GPO
Local Policies
CDM = Disabled

6. Policy Filters / Object Assignments
Allows granular control of Citrix policies
Filters policy settings based on certain criteria
Different options based on the policy type
Can’t be applied to the default Unfiltered policy
Next, let’s review the Citrix Policy Filters or now known as Object Assignments
Filters or Object Assignments allow for granular control of policy settings
Allows filtering based on certain criteria, for instance:
Workstations coming from a certain IP range
Specific Users or Groups
Or connections coming thru your external Netscaler
The available filters vary based on whether you are dealing with a Computer or User policy
The filters can be used with any policy set with the exception of the “Unfiltered” default policy

7. Unfiltered Policy & Templates
Default Unfiltered policy (no settings)
Applies to all objects
Can be disabled if not needed (Set to lowest priority)
Pre-configured policy templates
Created for various criteria
Policies created can be saved as templates
Let’s review our default policy information along with the built-in templates
There’s a default unfiltered policy that’s empty
Policy settings you add to the Unfiltered policy apply to all related objects in the site
The unfiltered policy can be disabled if needed (if you disable the Unfiltered policy move it to the lowest priority)
By default there are pre-configured policy templates in place
Templates have been created for different criteria such as session connectivity, experience, security, etc.
In addition, once you create your own polices, they can be saved as templates. This is a good backup method, but this shouldn’t be your only one. We’ll show another method later in the session.

8. Citrix Group Policy Client Side Extension
Also referred to as Citrix CSE (CitrixCseClient.dll) Loaded via Microsoft Winlogon process Generates policy requests (Computer/User) Retrieves values to determine policy filter calculation Forwards policy requests to Citrix Caching Service
The second major component to understand is the Citrix Group Policy Client Side Extension
I’ll refer to this from here on out as the Citrix CSE, this is separate from the MS CSE, and loaded via this DLL
This component is initialized by the Winlogon process (for both Computer and User accounts)
Is responsible for generating the policy requests for both policy types (User & Computer)
It will also retrieve certain aspects of the Computer or User connection, this is needed to see if any object assignments will be leveraged
This component also forwards policy requests to the caching service

9. Citrix Group Policy Caching Service
Citrix Group Policy Engine service (CitrixCseEngine), part of Citrix CSE Performs the Citrix policy calculation and writes settings to the registry Caches Group Policy files between calculations
Let’s look at our Caching service
Initialized via the CitrixCseEngine process which runs as a service, it’s a part of the Citrix Client Side Extension
It handles the policy calculation in addition to writing the resultant settings to the registry
It also caches the Site/AD GPO objects to optimize the policy application processing

10. Citrix Group Policy Data Files
Per-Computer and Per-User resultant Citrix policy settings end up in separate RSOP.gpf files
Each RSOP.gpf file is used to create policy registry settings under:
Per-Computer → HKLM\Software\Policies\Citrix
Per-User → HKLM\Software\Policies\Citrix\<SessionID>\User
Let’s review what data files Citrix Group Policy uses:
First, we have the resultant set of policies file, known as RSOP.gpf, and exists separately per-computer and per-user
The binary files are located separately based on type and the RSOP.gpf file is parsed into registry settings and applied to the proper location depending on the policy type (Per-computer or Per-user)
NOTE: the Session ID section highlighted here is critical for user policy application on XenApp servers.

11. Citrix Group Policy Update Intervals
For Citrix Site policies setup via Studio:
Policies for Computer and Users (logged in) refresh every 90 minutes
For Citrix Policies set via AD GPO:
Leverage AD refresh interval (default is 90 minutes +\- a random offset of minutes)
Refresh interval can be customized & set via AD GPO
For either method:
Computer Policies update at machine startup
User Policies update during a reconnect to an active or disconnected session
Policies can be updated manually by running: gpupdate /force
Here are some details surrounding policy refresh intervals, there are some differences to be aware of
For policies setup in Studio
Computer and logged on User policies will refresh every 90 minutes
For AD GPO’s
The refresh interval is typically every 90 minutes plus or minus a random offset of 0-30 minutes
This update interval can also be set via AD GPO
For either method
Computer policies will update at machine startup
User policies will refresh during login or reconnection to an active or disconnected session
You can also manually update the policies by issuing gpupdate /force (this is helpful when you modify policies and want them to refresh quicker)

12. User Policy Application (Similar for Computer Startup)
WinLogon
Client Side Extensions
Resultant
Policy
RSOP.GPF AD
GPO
Microsoft CSE
Citrix CSE
Site
GPO
Citrix CSE
Precedence Order
Local server Registry
Now that we’ve reviewed the components and files involved in Citrix Group Policy, I want to tie this altogether for you by showing you how Citrix Group Policies are applied when a user logs in. NOTE, this process is similar for when a computer starts up.
Here we have an end user ready to log in
Once the user logs in, the Microsoft Winlogon process starts up
Then it loads the available Client Side Extensions
This includes not only the Microsoft policy extension, but the Citrix one as well. From this point I’ll focus on the Citrix CSE
Citrix CSE starts to process the policies and the local GPO’s are processed first
Then CSE process the Site policies
Then lastly CSE processes the Active Directory policies
Now the precedence order is just the opposite of our processing order (so Active Directory policies take precedence over Site policies and so on), using this precedence order and any policy filters involved, a resultant set of policies file (RSOP.GPF) is created
This file is then used to make the actual policy settings in the registry (the registry location is based on whether we dealing with Computer or User policies)
Local GPO
HKLM\Software\Polices\Citrix\ (For Server)
-or-
HKLM\Software\Polices\Citrix\<SessionID>\User

13. Citrix Group Policy Management Console
Citrix GPMC - A connector into the Microsoft GPMC (CitrixGPMCConnector.dll) Management of Citrix group policies through Studio or GPMC Allows for Citrix policy modeling/comparison Can be installed separately for standalone use
Another major component we’ll review is the Citrix Group Policy Management Console.
I’ll refer to this component as the Citrix GPMC from here on out, and provides Citrix policy visibility within the Microsoft GPMC and is loaded via this DLL
It allows you to manage Citrix policies with Studio (for Site policies) or the Microsoft GPMC (for AD GPO’s)
This component also allows you to perform modeling or comparison of policy settings
It can be installed on a device for managing policies, requires that GPMC is installed

14. Citrix Group Policy Management - Studio vs. PowerShell
Single Policy Node
Object assignments shown depend on policies settings configured
PowerShell & AD GPOs
Divided into Computer & User policy types
Here we see a Studio screen shot of the policy node from XenApp 7.x. This is a huge difference compared to previous versions.
We see that there's only a single node for the policy objects. There’s no differentiation between computer and user policies within Studio. We take care of that on the backend when determining the resultant set of policies.
Object assignments shown depend on the policies you’ve configured.
The exceptions to this are managing Citrix policies through PowerShell, and AD GPOs via the GPMC.
They are still separated into Computer and User policy types.

15. Recommended Practices - Tips
Based on Citrix Support cases

16. Policy Architecture
Using both Site and AD policies may cause confusion when troubleshooting issues
Use one location or the other depending upon requirements
WMI filters on AD GPO’s containing Citrix policies may cause issues during reconnects (due to WMI/AD timeouts)
Use WMI filters sparingly
Possible mitigation: DisableGPCalculation setting
First, we’ll discuss policy architecture
While it’s fully supported to use both Site and AD policies together, doing so can lead to confusion during troubleshooting or when something is not working properly
If possible, try to use one method or the other based on your requirements and environment
We’ve seen some issues where the use of WMI filters on AD GPO’s (for example, you want to apply the AD GPO to a certain OS), can cause issues during session reconnects. This is due to some issues with the MS API’s used by Terminal Services during a reconnect and AD timing out for WMI calls.
Try to use WMI filters sparingly and if you have to, it maybe possible to prevent issues on session reconnects by using a setting we have, DisableGPCalculation.

17. Policy Documentation For Site applied policies:
Written document\spreadsheet
For Active Directory applied policies:
Use the GPMC Save Report option on your AD GPO
For either of the above:
CtxCseUtil – RSOP reporting tool
Export using Citrix Group Policy PowerShell module
<????> So, how many of you have your Citrix policies documented or even better backed up in a manner you could easily restore them?
<PAUSE> Ok, that’s a good amount of you. Documenting policies is important especially when things go wrong and in the event of a disaster. We’ll review some steps to accomplish this within your environments. Based on how you apply your policies, we have several methods:
For Site policies applied via Studio
It’s best to get them written out say in Excel, etc. You can leverage our Citrix Scout tool to get the settings and filters exported into a CSV format.
For policies applied via Active Directory
Use the GPMC and select the Save Report option on your GPOs, this will create a HTML report (NOTE: this needs to be done a device with both the MS and Citrix GPMC installed)
For either of the methods:
There’s the CtxCseUtil, which will generate resultant set of policy reports
We also have a PowerShell module that contains cmdlets to export and import Citrix Group Policies (the export cmdlet is great since this gives you a snapshot of your policies that can be imported later)

18. What Not To Do!
To prevent Citrix Group Policy consistency issues, don’t manually manipulate/remove any of the Citrix Group Policy data on your own
This includes files/folders or reg entries under:
%PROGRAMDATA%\Citrix\GroupPolicy\<SessionID>
%PROGRAMDATA%\Citrix\GroupPolicy
HKLM\Software\Policies\Citrix\<SessionID>
HKLM\Software\Policies\Citrix
Only under the direction of Citrix Technical Support
There are certain actions, that if taken, can cause group policy consistency issues. Group Policy issues are some of the more difficult to troubleshoot and you may not even know you’re having an issue until it’s too late. So here are some things you shouldn’t do:
Unless instructed by someone from Citrix Technical Support, don’t manually manipulate any of the Citrix Group Policy files\folders\registry areas
This includes these areas which relate to the policy cache and resultant registry areas. These areas are tightly linked together, so altering any one area can have negative effects.
There is a certain use case where we might ask you to clear these areas out, but only do it under the direction of Citrix Technical Support.

19. Troubleshooting Citrix Group Policy

20. Recommended Approach Know your Baseline\Collect the Details
Determine Versions
Policy Cache
GPF Files
RSOP Registry Settings
When troubleshooting Citrix group policy issues, we have a recommended troubleshooting path. These steps will help you isolate the issue or in case you need to contact Citrix Technical Support for assistance, you’re going to have the information ready to go and help expedite the resolution process.
I’ll be covering these steps in greater detail in the upcoming slides

21. Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue?
What issue are they seeing?
Chicago
The best starting point when troubleshooting Citrix group policy issues is to know what the desired policy settings are for the given scenario, so knowing you’re baseline configuration is key.
Then to isolate the issue further, make sure you can answer these four questions.
Who is seeing the issue, are there specific users in a separate office, or all users?
What issue is being seen, are they getting client drives mapped when they shouldn’t be or vice versa
Miami
Tokyo

22. Baseline and Collect Details – The Four W’s
Make sure you can answer the following:
Who is seeing the issue?
What issue are they seeing?
When are they seeing the issue?
Where are they seeing the issue?
New Session?
Reconnecting?
Smooth Roaming?
All of the Above?
When are they seeing the issue. For new sessions, reconnecting, smooth roaming or maybe all of those?
Lastly, where are they seeing the issue? Are they working remotely and connecting through your Netscaler?
Are they working in the corporate office that does not traverse a Netscaler or other appliance, etc.??

23. Determine Component Versions
Controller
What version of the components am I running??
VDA
The next step in the process is to be sure you know what version of components you are dealing with.
Now looking at this screen shot of Add/Remove Programs, we only see the core 7.6 install of the related VDA and no group Policy components
So what version am I really at?? The best method to confirm the versions is to check the individual components.
In order to do that, we need to look at two components of the environment:
The Controller or computer where Studio is installed
The VDA where the actual policy processing occurs
Our Citrix Scout tool does collect the version information of the Citrix Group Policy components as I’ve highlighted in this Scout example for both a Controller and a VDA.

24. Determine Component Versions – CSE
Look in the component directory on VDA Check CitrixCseEngine.exe
So let’s take a look at getting the CSE version.
You can look in the component directory on the VDA
Here’s the path to the CSE, you can right click on the CitrixCseEngine executable, which is the primary CSE binary
And going to the Details tab will show you this is version 2.4

25. Determine Component Versions - GPMC
Now to determine the Citrix GPMC version, we can do the same thing:
We go to the components directory on the Controller as I’ve referenced here and we can right click on the main binary
And we get the version here, in this v2.4

26. Product Versions - Reference
XA / XD Version
Citrix GPMC
Citrix CSE
7.1
2.1
7.5
2.2
7.6
2.4
Here’s a reference chart to show the base versions for our core XenApp & XenDesktop 7.x Citrix CSE & GPMC.
Please keep in mind that there may be higher available versions for the components in the future.
You can review these on our support site and you’d likely be asked to upgrade if you’re having issues

27. RSOP Registry Settings – Per Computer
HKLM\Software\Policies\Citrix
Now, let’s review what’s stored in the registry for Citrix Group Policies
Here we see the core location for the per-computer settings
The various sets of Computer policies usually are contained in sub keys
Here we see the Graphics and ICA policy settings
Looking at the values, we can see the final resultant policy settings, NOTE: we have references on our e-docs site to match up a registry value to the policy in question

28. RSOP Registry Settings – Per User & Connection Information
HKLM\Software\Policies\Citrix\<SessionID>
Now we should review the per-user RSOP settings in the registry, especially if there’s some issue with a policy applying (or not applying)
Here we see the core location for the per-user settings
For the per-user registry area, we need to go into the sub-key noted with the SessionID which we get from QUSER, Task Manager, or Director, in this example we go want to investigate Session 2
Here are two sub-keys of interest, the Events key contains a last Update time of the policy settings whereas the Evidence key contains details of the connection itself (things like Client IP, Client Name, etc.)
Under the User sub-key we get the various groups of GPO’s and their settings

29. Additional Troubleshooting Tools - CtxCseUtil
Creates resultant set of policies report containing user settings, computer or both
Converts RSOP.gpf to HTML report
Can be run locally or remotely against a server VDA or desktop VDA
End user has to have logged in at some point
End user doesn’t have to be actively logged in
Report created in folder with CTXCseUtil.exe and named CitrixRsopResult.html
CTXCseUtil is a Citrix tool that can create RSOP polices reports containing the applicable settings
It translates the RSOP files into a html report
It can be run locally or remotely against a server or desktop VDA
The end user has to have logged in at some point
But they don’t have to be actively logged in at the time the report’s generated
Once you run CtxCseUtil, the resultant report will be created in the same folder. The file name is CitrixRsopResult.html

30. CDFControl
At some point you might need or be asked to capture a CDF trace of your policy issue and our latest CDFControl tool is a great way to expedite this process.
Here we see that CDFControl already has a built in trace category for capturing Citrix Group Policy issues
Zooming in, we can capture all modules, just the CSE or GPMC. If there’s a need to contact Citrix Technical Support, having a clear snapshot of the issue and details involved will expedite the resolution process.
Speaking of contacting support…..

31. …here’s a free offering to help keep your Citrix environment running well.
Over 400 plugins that detect various conditions and offer prescriptive advice. New ones added every week.
Previously known as Tools as a Service (TaaS).
Visit the Citrix Insight Services Team in the Expo Hall at the “Ask the Experts” booth to learn more and receive a free gift (while supplies last)

32. Citrix Group Policy PowerShell Module

33. Overview
Module containing cmdlets for Citrix Policies Must be imported to be used Included in Scout Included on Controllers Can be installed separately
The Citrix group policy PowerShell module is powerful tool that contains cmdlets for managing all types of Citrix policies for Local, Site or AD locations
The module is not built-in and needs to be imported to be used in PowerShell.
Conveniently, it’s included in Scout
Scout is installed by default on XA/XD 7.x Controllers.
Like Studio, it can be installed separately on an administrative machine

34. Importing the PowerShell Module
So let’s walk thru importing the PowerShell module to manage our Site policies
Here’s the filename and location of the Citrix Group Policy PowerShell module included in Scout as part of the default installation of a Controller. To get the latest version of the PowerShell module, download Scout from the Citrix Support website.
If you attempt to import the module and get the following screen, you can either press R, to run it, or you can Unblock the script prior to importing it.
You can unblock it by going to the general properties of the module file itself and click “Unblock”.

35. Importing the PowerShell Module
Here’s the confirmation response that the module has been imported successfully.
Once loaded, we can use the Get-Command to see the available functions. We can also use the Get-Help command on any of these functions for more details.

36. PowerShell Drive (PSDrive)
Defined: A mapping between a PowerShell provider and resource
One critical concept for dealing with Citrix Group Policies within PowerShell is the PSDrive.
PSDrives or PowerShell drives are mappings between a provider and resource (akin to mapping network drives)
Using Get-PSDrive, you can see that ENV is mapped to the Environment provider
Getting a listing of the ENV: mapping, you can see that these are the standard environment variables

37. PSDrive Mappings
New-PSDrive –name Site –psprovider CitrixGroupPolicy –root \ -controller LocalHost
After importing the Citrix Group Policy module, regardless of the location of your policies (Site or AD), you need to map a PSDrive to their location.
Notice that when you execute a Get-PSDrive command after importing the module, it lists LocalGPO & Templates. Here, LocalGPO is referring to the local machine’s GPO, and Templates are the templates available in the Site database.
In this example, we’ll work with Site based policies and execute the following command to map it when running on a site Controller.
New-PSDrive -Name Site -PSProvider CitrixGroupPolicy -Root \ -Controller localhost
Here’s the confirmation that the PSDrive is now mapped
If you’re not on a Controller for your Site, change the controller target (localhost) to the name of a Controller for your site.

38. Managing Citrix Group Policy with PowerShell

39. Be consistent in your management approach
Recommendations
Perspective
Single Pane for Policies in Studio
PowerShell or AD GPO still have Computer & User types
Be consistent in your management approach
Something my dad always told me was “Perspective – Either use it or you lose it”. This is applicable when managing Citrix policies with PowerShell or AD compared to Studio
Remember with Studio, we have a single pane for Policies for both Computer & User policies types. This is accomplished through what’s defined as policy merging
Keep in mind that PowerShell & AD GPO policies are still separated into User & Computer policy types
Because of policy merging, it’s important to be consistent in your approach to policy management. If you start with AD policy management or PowerShell policy management, then stick with it for consistency of perspective. Remember, it’s not recommended to combine using AD based policies with Studio based policies because this can make things overly complex, and troubleshooting very difficult.
Remember to back up your policies prior to making any changes
Back up your policies prior to making any changes

40. MergedPriority property
Policy Merging
MergedPriority property
MergedPriority is one of the Citrix policy properties seen in PowerShell
Here are the Computer type policies and their priority and merged priority
Here are the User type policies and their priority and merged priority
The Pub Apps Graphics policy only has computer settings and therefore only shows with the computer policies.
Notice that the Unfiltered Policy for the user policies has differing Priority & Merged Priority counts.
So, Priority is the processing priority given for the policies. The Merged Priority property is the priority as seen in Studio. Keep this in mind when comparing policy priority differences between Studio & PowerShell perspectives.

41. Creating Policies from Templates
Get-CtxGroupPolicy –policyname “Hi-Def Experience” –drivename Site
Let’s review creating policies from templates with PowerShell:
LS Templates:\ | Select TemplateName,Type
Let’s use the policy template for the “High_Definition_User_Experience”
Notice the type seen is “Both”, that means it has both Computer & User policy components.
That means we’ll need to copy the policy from the Templates PSDrive into both the User & Computer of our Site PSDrive:
Copy-item Templates:\High_Definition_User_Experience Site:\User\”Hi-Def Experience”
Copy-item Templates:\High_Definition_User_Experience Site:\Computer\”Hi-Def Experience”
And to review the results
Get-CtxGroupPolicy –PolicyName “Hi-Def Experience” –DriveName Site
We now have a new policy based on the Template settings ready to be modified and assigned to objects.

42. Exporting / Importing Policies
We’ve got cmdlets in the PowerShell module for exporting and importing Citrix GPOs.
This makes backing up and restoring Citrix policies a very quick process.
So let’s say we have a new Site that’s freshly built, and we want to replicate the policies from a different site.
Once we’ve imported the PowerShell module, and created the PSDrive to the source Site, then we create the folder to place the exported policies
And run the following: Export-CtxGroupPolicy –DriveName SourceFarm C:\ExportedGPOs
Note the source Drivename and FolderPath
Here are the files that are created in your export target path

43. Exporting / Importing Policies
Copy the exported policy files to the target Controller
Alternative Options
Then, we copy the exported files onto the target Controller and import them into the target Site after mapping
Import-CtxGroupPolicy –DriveName TargetFarm C:\ExportedGPOs
Now we’ve replicated the policy settings, from source site to the target site. Now to finalize the configuration and apply the settings to the proper filters if you don’t have the same AD groups, Delivery Group names, etc.
Alternative options: Should the account you sign onto the source Controller have Administrative permissions in BOTH sites, simply map multiple PS drives (one to the SourceFarm, and the other to the Target farm) and copy the policies with Copy-Item, or import the polices that you’ve exported.

44. Changing Policy Locations
Export the policies from the Site
Map a PSDrive to the Active Directory GPO
New-PSDrive -Name <DomainGPODrv> -PSProvider CitrixGroupPolicy -Root \ - DomainGPO <DomainGPO>
Note: The target GPO must already exist in the Active Directory domain
Note: Replace <DomainGPODrv> with the name of the new PSDrive being created and replace <DomainGPO> with the display name of the Active Directory GPO
Import-CtxGroupPolicy <PathToExportFolder> -DriveName <DomainGPODrv>
See CTX for the details
Say we want to change our policy location from Site to Active Directory. To do this we do the following:
Export the policies from the site (as seen previously)
Map the PSDrive to the target AD GPO using the following command:
Please note that the target GPO MUST already exist in Active Directory
Please note that you must use the display name of the Active Directory GPO previously created
Then, we import the exported policies we want into the AD GPO.
We have all of the steps in this Citrix Support article (CTX140039, but keep in mind that it’s for XA 6.5, and you’ll have to map the PSDrive to the proper location (AD or Site)

45. Changing Policies with PowerShell
Back up your policies prior to any manipulation of them
Multiple methods
Set-CTXGroupPolicyConfiguration
Browse into the Policy path & set the property you want to change
Remember to backup your policies prior to any changes you may make
There are multiple methods to change the settings of policies via PowerShell
You can use the cmdlet Set-CTXGroupPolicyConfiguration included in the PowerShell module or
You can navigate the PSDrive mapping into the policy path and set the property you want to change.
Here’s an example of changing the item properties:
So we’re going to look at the ICA configuration path of the HiDef Policy, for policy settings with clip in the name (for “clipboard”)
And we’re specifically looking at the ReadonlyClipboard setting. Here, it’s at the default “NotConfigured” state

46. Changing Policies with PowerShell
Set-ItemProperty ‘.\User\HiDef Policy\Settings\ICA\ReadonlyClipboard ‘ -Name State –Value “Enabled”
Then we execute the following command against the ReadOnlyClipboard to change the property State value from the default of NotConfigured to Enabled
Here we see that now it’s state is now enabled
And it’s also enabled now in Studio

47. Troubleshooting Citrix Group Policy with PowerShell

48. Reviewing What Policy Settings Are Configured
Use Get-CtxGroupPolicy cmdlet to list the policies
Shows both User & Computer policy types
Use Get-CtxGroupPolicyConfiguration to list the properties
Use the –ConfiguredOnly switch
To review the policies configured in the Site, use Get-CtxGroupPolicy to list the policies
This cmdlet will show both user & computer policy types for all policies.
From there you can focus in on a specific policy (User, Computer or combined) with the Get-CtxGroupPolicyConfiguration.
Use the –ConfiguredOnly switch to shorten the output
To view the data this way, you’ll want to pipe the output to Format-List to see all the properties & values set.

49. Setting The Unfiltered Policy To Be First or Last
Back up your policies prior to any manipulation of them
To set Unfiltered policy to the highest priority:
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority 1
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority 1
To set Unfiltered policy to the lowest priority:
Use the Count property of the list of policies of the specific types
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority (Get-CtxGroupPolicy –DriveName Farm –Type Computer).count
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority (Get- CtxGroupPolicy –DriveName Farm –Type User).count
Remember to backup your policies prior to any manipulation of them
So depending on your policy design, you can either prefer to have your Unfiltered policy either the highest priority, or the lowest.
Either way, setting its priority is very quick with PowerShell.
To set it as the highest, we’ll just run the following:
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority 1
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority 1
Now, suppose we have 10 different User policies, and 12, Computer policies configured. Here’s a simple way to get it to always be the last/lowest:
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type Computer –Priority ((Get-CtxGroupPolicy –DriveName Farm –Type Computer).count)
Set-CtxGroupPolicy –DriveName Farm –PolicyName Unfiltered –Type User –Priority ((Get-CtxGroupPolicy –DriveName Farm –Type User).count)

50. Getting LastUpdate & Connection Information For A Session
Let’s say you need to get the LastUpdate information for Farm Policies for a XenApp user on Session 2
In order to do that, we need to review the Evidence & LastUpdate entries under HKLM\SOFTWARE\Policies\Citrix\2.
Remember mapping the PSDrive for the Farm policies? With PowerShell, interacting with the registry is the same.
In this example we’re on the Session Host, and here are our default PSDrives list. Notice that for HKCU & HKLM the Provider is Registry
So now we’ll look at the Evidence key to get the Client Name & IP address by executing this command:
Get-ItemProperty HKLM:\Software\Policies\Citrix\2\Evidence
And here’s we’ll review the Events key to get the LastUpdate information
Get-ItemProperty HKLM:\Software\Policies\Citrix\2\Events

51. In Review
Citrix Group Policy Architecture Recommended Practices Troubleshooting Tools Citrix Group Policy PowerShell Module Managing & Troubleshooting Citrix GPO via PowerShell
Throughout this session we
Reviewed the Citrix Group Policy Architecture
Discussed Recommended Practices for Citrix GPO use
Listed some available troubleshooting tools
Looked at the Citrix Group Policy PowerShell Module
Examined the Managing & Troubleshooting of Citrix Group Policy with PowerShell
Citrix Group Policy was more extensively covered in a previous Synergy session SYN406 from That specific presentation is included in the Resources section at the end of this presentation.

52. Questions?

53. Before you leave… Recommend related breakout session
SYN411: Successfully Migrating your farm to XenApp 7.6
Conference Surveys are available online at starting Thursday, May 14 at 9:00 a.m.
Those who provide feedback by 6pm, Friday, May 15th will receive:
$20 Amazon e-gift card
Name entered in a drawing for a free Trip to Synergy 2016 (5 chances)
Download presentations starting Monday May, 18th from the My Event Planning tool
SYN411: Successfully Migrating your farm to XenApp 7.6
Conference Surveys available starting Thursday May 14th at 9 AM at
Provide feedback by 6pm on Friday & get a $20 Amazon e-gift card & 5 chances for a free trip to Synergy next year.
Starting Monday May 18th, presentations will be downloadable from the My Event Planning tool.

54. Resources Links related to Citrix Group Policy
This section contains references, articles and links to tools that referenced & discussed during the presentation.

55. Resources Citrix Product Documentation Site (eDocs)
Citrix Documentation Links
Citrix Product Documentation Site (eDocs)
PowerShell cmdlet help
Migrate from XA 6.x -> XA/XD 7.x
Policy settings not imported
Synergy 2014
SYN406 – Citrix Group Policy Troubleshooting for XenApp & XenDesktop
Here are some links for Group Policy Documentation
PowerShell cmdlet help:
Migration from XA 6.5 to 7.6, and moving/import/export policies
Synergy 2014 – SYN406 – Citrix Group Policy Troubleshooting for XenApp & XenDesktop
SlideShare -
CitrixTV -

56. References CTX128625 - How to Import and Export Policies in XenApp 6.x
CTX Citrix Policy Reporter - RSOP CtxCseUtil Tool
CTX – Citrix Scout
CTX – CDFControl
CTX – Merging of User and Computer Policies in XenDesktop
CTX Error: "Changes made to policies outside of this console, such as in PowerShell..."
MS TechNet Blog – Enabling Group Policy Logging using RSAT