by: Helge, published: Feb 23, 2016, updated: Jun 29, 2019, in

How Group Policy Impacts Logon Performance #4: Citrix Policies

Contents

This article is based on my Citrix Synergy 2015 session and is the fourth in a mini-series on Group Policy performance. All measurements by uberAgent on Windows Server 2012 R2 with Citrix XenApp 7.6 in a steady state. Please start reading with the first article.

Farm vs. Active Directory

Citrix policies, i.e. policies applying to the VDAs, can be stored in these two locations:

  • Farm (database)
  • Active Directory and Sysvol (Group Policy)

Both types of policies can be used together. Their settings are joined on the client by the VDA.

Precedence

Settings configured in Group Policy have precedence over farm settings. Settings are applied in the following order (highest priority last):

  • Local
  • Farm
  • Site
  • Domain
  • OU

Policy Refresh

Farm Policy

New or changed settings are distributed to VDAs:

  • When the VDA registers with a DDC
  • When a user logs on

These events trigger a BrokerAgent CONFIGURATION SET event. BrokerAgent.exe writes changed farm policies to %ProgramData%\Citrix\PvsAgent\LocallyPersistedData\BrokerAgentInfo\<GUID>.gpf. BrokerAgent.exe then triggers a policy evaluation via CitrixCseClient.dll. This causes CitrixCseEngine.exe to process policy (see below).

Group Policy

Group Policy is updated following the regular Group Policy cycle with an additional refresh at session reconnection added by Citrix:

  • Computer startup
  • User logon
  • Background refresh
  • When triggered by gpupdate
  • Session reconnection

Citrix Group Policy Client-Side Extension (CSE)

In order to hook into Group Policy operations Citrix adds the client-side extension CitrixCseClient.dll. The Citrix CSE is configured in such a way that it is called every time Group Policy is applied. Its main task is to notify the Citrix Group Policy Engine service (see below).

In addition to that the CSE checks the following undocumented registry values in HKLM\SOFTWARE\Citrix\GroupPolicy:

  • CseIgnoreCitrixComputerPolicyTrigger
  • CseIgnoreCitrixUserPolicyTrigger
  • CseIgnoreWindowsComputerPolicyTrigger
  • CseIgnoreWindowsUserPolicyTrigger
  • CseIgnoreWindowsBackgroundComputerPolicyTrigger
  • CseIgnoreWindowsBackgroundUserPolicyTrigger

If you want to change how/when Citrix Policy is applied, those values look like a good place to start.

Citrix Group Policy Engine Service

All the important work is done by the Citrix Group Policy Engine Service (CitrixCseEngine.exe). It is notified by the local Citrix CSE (CitrixCseClient.dll) whenever a policy refresh needs to happen. It then combines Group Policy settings with farm settings, applies them and creates RSoP data. Resulting policy settings are written to the registry:

  • Computer: HKLM\SOFTWARE\Policies\Citrix
  • User: HKLM\SOFTWARE\Policies\Citrix\<SessionID>\User

In addition to generating the resulting policy values the Citrix Group Policy Engine Service creates several cache and helper files: actual policy settings are stored as GPF files in %ProgramData%\CitrixCseCache. Rollback and RSoP information is written to Rollback.gpf and Rsop.gpf respectively in %ProgramData%\Citrix\GroupPolicy.

About the Author

Helge Klein (ex CTP, MVP, and vExpert) worked as a consultant and developer before founding vast limits, the uberAgent company, which was acquired by the Citrix business unit of Cloud Software Group in late 2023. Previously, Helge applied his extensive knowledge in IT infrastructure projects and architected a user profile management product, the successor of which is now available as Citrix Profile Management. Helge is the author of the popular tools Delprof2 and SetACL. He has presented at Citrix Synergy, BriForum, E2EVC, Splunk .conf, and many other events.

Read more

Previous Article VMware Horizon in a Lab: Getting Rid of SSL Errors
Next Article Hyper-V on Hetzner's EX51 Hosted Dedicated Servers