Jump to content
Welcome to our new Citrix community!
  • 0

Group Policy and User Layers


Shawn Martin1709158376

Question

Let me see if I can explain this.

 

We have software, Beyond Trust Power Broker for Windows. It's job is to apply limited admin permissions to certain apps and allow users to self-elevate as needed.

Power Broker is installed in the OS layer. It's configuration is delivered via Group Policy as a Computer Policy.

I have a Win 10 v1803 layered image using Full User layers and I'm using PVS (Random, Discard user data) to deploy the images.

When the VDA boots up, and I log in via Receiver, all the works fine, and the user layer mounts fairly quickly. Performance is acceptable.

 

The problem is, the Power Broker GPO doesn't seem to be applying to the machine. I can certainly do a gpupdate /force to get the machine to pull down the GPO but when I restart, and then log back into the VDA, the GPO settings aren't there. 

 

Any ideas on how I can get this GPO to apply successfully under this configuration?

 

Link to comment

9 answers to this question

Recommended Posts

  • 0

Is it a user setting or machine setting you are trying to set?  During boot the server will run a gpupdate in the startup scripts.  So the settings should set then.  Are you logging in very quickly?  Youu may want to wait a little while to allow the scripts to run and if that works use SettlementPeriodBeforeUse on your delivery groups to have the VDA wait say 4 minutes nefore allowing logons.

 

If its a user setting then you need to check loopback and if you ave gpo conflicts.

Link to comment
  • 0

Thanks. 

 

Waiting about 10 mins to log in didn't seem to make a difference. The gpresult report shows that the GPO has been applied to the machine but the Beyond Trust application doesn't seem to be reading the settings. I'll throw Process Monitor on it to see if I can figure out why it's not reading the settings.

 

Alternatively, I might try putting the app in the Platform Layer instead.

Link to comment
  • 0

Ok, it worked with elastic layering turned off, which I only had on in order to use Full User layers.

 

I'm going to try again with user layering turned on but having PowerBroker installed in the Platform layer instead of the OS layer. Ultimately, the goal is to use PVS random machines and give everyone a Full user layer so they can have their own personalization of the desktop.

Link to comment
  • 0

Can someone help me with the exact steps to make the Power Broker tool work on the Citrix App Layer?

 

I am working on a VDI non persistent pool with Power Broker tool installed on the app layer?

Problem:
When PowerBroker for Windows is installed a registry containing a unique ID is generated to:
HKLM\Software\Microsoft\Windows\CurrentVersion\BeyondTrust\InstallerId

 

When we create the template on the ELM to rollout polled VDI's which has PowerBroker for Windows with the sameInstaller ID meaning Retina CS won't be able to differentiate between clients. 

 

The solution from the Beyond Trust is:

BeyondTrust has provided an executable tool to regenerate the Installer ID which comes with the client installer. The tool can be found in C:\Windows\BeyondTrust\BeyondInsight\GenerateNewInstallerId.exe. Simply executing the tool with administrative privileges will follow the expected behavior below.

 

Expected Behavior:
Both methods above will check for the existenceofHKLM\Soware\Microso\Windows\CurrentVersion\BeyondTrust\NewInstallerId. In the case where the key exists theprocess will end. If the key doesn't exist it will generate a new guid write it to:"HKLM\Soware\Microso\Windows\CurrentVersion\BeyondTrust\InstallerId"
Lastly a new key will be new key created to avoid the guid being changed more than once:
"HKLM\Soware\Microso\Windows\CurrentVersion\BeyondTrust\NewInstallerId"

 

Because it's an non persistent VDI's, once the user logged out all the changes are reverted back and the VDI is left with the original installer ID.

 

I want to know if there is a way to make the Power Broker tool work on Citrix Pooled VDI's. We are also having the same issue with the Beyond Trust Bomgar (Jump Client) agent as well.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...