Thursday, November 8, 2012

How to: Apply Active Directory Group Policy to Citrix XenApp servers


This may seem straight forward but it's taken some time to get this to work like a charm.

Scenario:

XenApp (XA) 6.x farm with multiple servers. You have settings that need to be applied to the servers as well as settings for Users.

This is how I configured it.  I came to this conclusion because Group Policy wasn't applying the correct Intranet Zone sites in Internet Explorer (although the same settings worked flawlessly on their desktop)

1.  Create and move all servers to an OU containing XA Servers only.

XenApp Computer object location

my.company.com
       |
       __ Computer Accounts
                                |
                                _ XenApp
                                        |
                                        |- XENAPP01
                                        |- XENAPP02
                                        |- XENAPP03

Therefore: OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com

User Accounts object location

Create or use an existing group containing your users.


my.company.com
       |
       __ User Accounts
                                |
                                _ Location
                                        |
                                        |- USER1
                                        |- USER2
                                        |- USER3


2.  Create and AD group eg. 'All XenApp Servers' containing all your XA servers .  This is important to allow the computer configuration settings to apply to the servers.

3. Three group policies required.
           A.  Name: Policy XenApp Loopback
                 Purpose: This invokes Loopback processing
                 Settings: Computer Configuration > Policies > Administrative Templates > System /
                 Group Policy
                     Policy:  User Group Policy loopback processing mode
                     Mode: Replace
                 GPO Status: User Configuration settings disabled
                 Link Order: 3 (Apply this first)
       
           B.  Name: Policy XenApp Server Configuration
                 Purpose: Contains computer configuration settings which will apply to all your XA servers
                 Settings:  Computer configuration > As required.
                 GPO Status: User Configuration settings disabled
                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: All XenApp Servers
                 Link Order: 2 (Apply second)

           C.  Name: Policy XenApp User Configuration
                 Purpose: Contains users configuration settings which will apply to all your XA users
                 Settings:  User Configuration > As required.
                 GPO Status:  Computer Configuration settings disabled

                 Links:  OU=XenApp,OU=Computer Accounts,dc=my,dc=company,dc=com
                 Security Filtering: 'All XenApp Users' or Authenticated Users
                 Link Order: 1 (Apply last)


That's it.

:)

JJ