Since Citrix XenApp 6.0 and XenDesktop 5.0 policies are configurable via a new method. As a bonus Citrix made it possible to configure the policies via Group Policy Objects (GPO’s) in Active Directory.
This is especially useful if you want to set Citrix policies unattended, or automated. This way you can use it in a deployment or incorporate it in your own (provisioning) tool.
In this article I’ll explain how you can set Citrix XenApp 6.5 policies in a GPO via a PowerShell script from a remote machine. You can execute the commands from any domain joined machine, there’s no need to execute the script from a Citrix server or Active directory Domain Controller.
Prerequisites
The Citrix policies in a Group Policy Object (GPO) are configured in a custom interface, supplied by Citrix during installation of XenApp 6.5. To configure the policies from PowerShell the XenApp 6.5 PowerShell SDK needs to be installed on the machine where you’ll be executing the script.
The XenApp 6.5 PowerShell SDK can be downloaded here. I found out it is necessary to execute the installer with elevated rights (Run as Administrator), otherwise no dialog where shown.
Secondly you need the PowerShell module Citrix.GroupPolicy.Commands.psm1 (supplied by Citrix) that contains some wrappers around policies. More information about the module can be read here.
Preparation
First we need to load the module (Citrix.GroupPolicy.Commands.psm1) in the PowerShell script so we can use the functions.
#Import module
Import-Module .\Citrix.GroupPolicy.Commands
And add the PowerShell snap-ins from the PowerShell SDK
#Add PowerShell snapins (if necessary)
if ( (Get-PSSnapin -Name Citrix.Common.GroupPolicy -ErrorAction SilentlyContinue) -eq $null ) { Add-PSSnapin Citrix.Common.GroupPolicy }
if ( (Get-PSSnapin -Name Citrix.Common.Commands -ErrorAction SilentlyContinue) -eq $null ) { Add-PSSnapin Citrix.Common.Commands }
if ( (Get-PSSnapin -Name Citrix.XenApp.Commands -ErrorAction SilentlyContinue) -eq $null ) { Add-PSSnapin Citrix.XenApp.Commands }
Now we can connect an object to a Group Policy Object (GPO) to a Windows PowerShell drive.
#Connect PowerShell drive to Citrix domain GPO
New-PSDrive -Name CitrixGPO -PSProvider CitrixGroupPolicy -Root \ -DomainGPO "Citrix GPO"
In this example I connect the Windows PowerShell drive CitrixGPO.to the domain GPO “Citrix GPO”.
NOTE: The examples found in the XenApp 6.5 PowerShell SDK referers to the –FarmGPO setting. This setting connects the Windows PowerShell drive to the policy in the farm (instead of a Active Directory GPO) but can only be used from a Citrix XenApp system, not from a remote machine.
After your done with setting Citrix policies you need to remove the Windows PowerShell drive with this command.
#Close PowerShell Drive from Citrix domain GPO
Remove-PSDrive -Name CitrixGPO
Reading and writing policy objects
Multiple Citrix policy objects can reside in a Active Directory Group Policy Object. By default there are two 1) a Computer policy object named “Unfiltered” and 2) a User policy object named “Unfiltered”.
Reading
In order to change the setting of a policy object you need to read the content of the policy object.
#Read Citrix user policy
$objCitrixPolicy = Get-CtxGroupPolicyConfiguration -PolicyName "Unfiltered" -Type user -DriveName CitrixGPO
In this example I read the content of the “Unfiltered” policy object of the User configuration from the drive CitrixGPO and place it in the $objCitrixPolicy variable.
Writing
After you’ve set the settings in the policy object it need to be written to the Active Directory Group Policy Object.
#Write Citrix user policy
Set-CtxGroupPolicyConfiguration $objCitrixPolicy -DriveName CitrixGPO
In this example I wrote the content of the $objCitrixPolicy variable to the CitrixGPO drive.
Group Policy Settings
The settings in the policy objects that can be configured can be found in the Citrix XenApp 6.5 Commands Reference (found in the start menu after installing the XenApp 6.5 PowerShell SDK). Here you’ll find an item called Group Policy Settings with two nodes: Computer Settings and User Settings.
All settings that can be configured in a GPO can be found here, including the values you can set. Mainly there are two type of settings, boolean data types and non-boolean data types.
Boolean data types, like ClientDriveRedirection, are either Allowed or Prohibited. These settings are configured by setting the State object to Enabled or Disabled.
$objCitrixPolicy.("ClientDriveRedirection").State = "Enabled"
Non-boolean data types, like AudioQuality, have multiple values that can be chosen from a dropdown box. These settings are configured by setting State to Enabled and filling the Value field with the appropriate setting which can be found in the Commands Reference.
$objCitrixPolicy.("AudioQuality").State = "Enabled"
$objCitrixPolicy.("AudioQuality").Value = 2
If you’re not sure if this is a Boolean data type or not, just check if the Value property equals Null.
#Set policy setting
If ($objCitrixPolicy.("SETTING").Value -ne $null)
{
$objCitrixPolicy.("SETTING").Value = "VALUE"
$objCitrixPolicy.("SETTING").State = "Enabled"
} else
{
$objCitrixPolicy.("SETTING").State = "VALUE"
}
Where SETTING equals the user/computer setting you want to set and VALUE the value of the setting
Clear all existing settings
If you want to clear all existing settings in a policy object you can use this script:
#Clear all existing settings
foreach ($objCitrixPolicyProperty in @($objCitrixPolicy | Get-Member -Type Properties | Select -Expand Name))
{
$config = $objCitrixPolicy.$objCitrixPolicyProperty
if ($config.State -ne $null) { $objCitrixPolicy.($objCitrixPolicyProperty).State = "NotConfigured" }
}
This works manually in a script that I am using to audit the GPOs. It doesn’t work as a scheduled task.
I am getting this error message.
New-PSDrive : A parameter cannot be found that matches parameter name ‘DomainGPO’.
At line:1 char:77
+ New-PSDrive -Name CitrixGPO -PSProvider CitrixGroupPolicy -Root \ -DomainGPO <<<< "XA65_GLOBAL_QA_CITR
IXSETTINGS"
+ CategoryInfo : InvalidArgument: (:) [New-PSDrive], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.NewPSDriveCommand
With what user are you running the scheduled task?
The user should be a domain user and have the PowerShell applets available.
I am trying to set sessionprinters in a policy using the following command Set-CtxGroupPolicyConfiguration -PolicyName Test2SessionPrintPolicy1 -Type user -Configuration SessionPrinters -Value “\\PrintServerName\PrinterName”. This works fine but I am unable to add more than one printer. If I run that same command with a different printer name it overwrites the first printer. Is there anyway around this. The command does not like it when i try to put two printers in the same line. I tried separating the two with , or ; ” ” but nothing seems to work.
Can you try this:
Set-CtxGroupPolicyConfiguration -PolicyName Test2SessionPrintPolicy1 -Type user -Configuration SessionPrinters\Values\1 -Value “\\PrintServerName\PrinterName1″
Set-CtxGroupPolicyConfiguration -PolicyName Test2SessionPrintPolicy1 -Type user -Configuration SessionPrinters\Values\2 -Value “\\PrintServerName\PrinterName2″
Got the following error trying the command
Invalid configuration name
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Citrix.GroupPolicy.Commands\Citrix.GroupPolicy.Commands.psm1:657
char:21
+ throw “Invalid configuration name”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Invalid configuration name:String) [], RuntimeException
+ FullyQualifiedErrorId : Invalid configuration name
I wrote an article explaining how to configure session printers via PowerShell.
http://www.ingmarverheij.com/configure-citrix-session-printer-via-powershell/
Hope this helps you.
Any idea how this works in XA/XD 7.6? Some cmdlets are gone in this version, e.g. Set-CtxGroupPolicyConfiguration no longer works.
If anyone can help or still watching this, I have a list of printer policies and would like to quickly move them up or down in priority…What is the command to look at one and then maybe move them… Also is there a command to list for printing the policies what computer (or user) is associated with that policies and the printers that they get? Thanks.
Hi,
Thanks for the article do you know if you should be able to run these commands from a PowerShell remoting session? Citrix implies that you can’t but it seems to work.
I’m not sure what the “double hop” issue would be reading the local farm GPO when using PowerShell remoting?
I’m not quite sure where it’s reading the LocalFarmGpo from, I assume the datastore database..?
Thanks,
Dave
This can be used to edit existing policy or create new policy.
what is the approach for importing group policy template and create policy out of it.