Jump to content
Welcome to our new Citrix community!
  • 0

Move Citrix policies back to Windows group policies


CentralCDH

Question

Hi All,

 

In Windows Group policies some sections are not displayed and I assume it is because some settings are controlled by Citrix.

On the screenshots it is that most of the settings under Administrative Templates are gone.

I though uninstalling Citrix Group Policy Management on a domain controller would revert policies back but I was wrong and nothing changed.

Could you please advise what else should be done to roll back Windows Active Directory Group Policies to pre-Citrix state.

 

Regards,

citrix gpo 1.jpg

Link to comment

12 answers to this question

Recommended Posts

  • 0
Quote

You need to have Citrix Studio on the same machine as GPMC to get the Citrix Policies feature in GPMC.

Hi,

 

A company is switching from Citrix XenApp to Windows Terminal Services.

I need to revert policies from Citrix back to Windows.

Is there an official guide how to do that?

Link to comment
  • 0
On 12/18/2021 at 2:41 AM, CentralCDH said:

To be more precise I don't need policies configured in Citrix Studio to be moved to Windows Group Policy.

I need Administrative Templates to roll back to their original state on a domain controller.

 

It sounds like you're talking about the default policy store.  This is a tricky situation that I would be careful with!  

 

These tempaltes are just files that sit in c:\windows\policydefinitions.  If configured, you can move the files to \\%domain%\sysvol\%domainname%\Policies\PolicyDefinitions.  An admin configures this by creating the folder and copying the templates that the company wants to use out to this location.  They're usually sourced from a modern windows installation -- one that matches the overall domain configuration.

 

You can revert this store at any time by deleting and recreating the default policy store, but I'd be careful doing that.  You could loose some admin templates for other products, and these are one of the things that you probably won't catch for months/years until you go make a change and can't figure out how to edit the policy.  In fact, it could leave some policies applying but you may not have a way to edit them, and the only way to fix will be to either restore the template or delete and recreate the GPO without the settings.  

 

The good thing is that these templates don't impact the domain... they have no influence over policy.  All they do is expose settings in the policy editor.   If you're going to continue down this path, I would recommend removing all policies (settings in the policy editor!) that you are no longer managing before removing the templates you no longer need.  This will help in the long run and you may find that you don't really need to remove the templates.

 

 

Again - these templates are just metadata that describe the setting.  The actual setting is in the policy file, not the templates.  Removing the template just means the setting is no longer available in the editor, but it doesn't mean the setting is no longer applied.

 

 

Link to comment
  • 0
On 12/21/2021 at 3:54 AM, Joseph Robinson said:

 

It sounds like you're talking about the default policy store.  This is a tricky situation that I would be careful with!  

 

These tempaltes are just files that sit in c:\windows\policydefinitions.  If configured, you can move the files to \\%domain%\sysvol\%domainname%\Policies\PolicyDefinitions.  An admin configures this by creating the folder and copying the templates that the company wants to use out to this location.  They're usually sourced from a modern windows installation -- one that matches the overall domain configuration.

 

You can revert this store at any time by deleting and recreating the default policy store, but I'd be careful doing that.  You could loose some admin templates for other products, and these are one of the things that you probably won't catch for months/years until you go make a change and can't figure out how to edit the policy.  In fact, it could leave some policies applying but you may not have a way to edit them, and the only way to fix will be to either restore the template or delete and recreate the GPO without the settings.  

 

The good thing is that these templates don't impact the domain... they have no influence over policy.  All they do is expose settings in the policy editor.   If you're going to continue down this path, I would recommend removing all policies (settings in the policy editor!) that you are no longer managing before removing the templates you no longer need.  This will help in the long run and you may find that you don't really need to remove the templates.

 

 

Again - these templates are just metadata that describe the setting.  The actual setting is in the policy file, not the templates.  Removing the template just means the setting is no longer available in the editor, but it doesn't mean the setting is no longer applied.

 

 

Hi Joseph, 

 

Thanks for your reply. 

Just would like to clarify what exactly I need. 

On the screenshot in my first post you can see that under Computer Configuration - Policies - Administrative templates I have nothing but Microsoft Office related templates. 

(Same for User Configuration - Policies - Administrative templates)

Normally however, there must be a number of system related templates. 

 

1037524288_gponocitrix.thumb.jpg.e3aaa816af6a38e97b59c284775f6803.jpg

 

I don't know where they're now but need to roll them back to Group Policy Editor.

Link to comment
  • 0

Seems to be a problem with the central store of the policy definitions.

 

Check if you have EnableLocalStoreOverride = 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\

 

image.thumb.png.67e563e14b1f70b5bb07d6d800ca2192.png

 

If you set the value to 1, then your GP editor tools will use the ADMX/ADML files found under c:\windows\policydefinitions instead of the Central Store.

If the value is set to 0, or removed, then the Central Store is used again.

Note that you will need to restart GP editor in between changes to this value.

 

If you miss ADMX/AMDL you can check this site: List of different Group Policy Templates (Updated) - InfrastructureHeroes.org

 

Link to comment
  • 0
On 12/31/2021 at 12:10 AM, CentralCDH said:

Hi Martin,

 

All screenshots I posted in this thread including the first one were taken for a domain controller. 

There are two of them and on another one the tree of Group Policy editor is the same. 

 

You have 2 domain controllers and both only show the reduced selection?

 

Then check your central store or maybe just remove \PolicyDefinitions\ folder inside of \\domainname\SYSVOL\domainname\policies\ to remove/disable the central store.

Link to comment
  • 0

I compared the content of \\domainname\SYSVOL\domainname\Policies\PolicyDefinitions with a domain controller of another organization and found that all policy definitions except those related to Microsoft Office applications are missing. 

When I run search I found all of them under C:\Windows\WinSxS.

If I put them manually back to \\domainname\SYSVOL\domainname\Policies\PolicyDefinitions would the reappear in Group Policy Editor?

 

896233519_gpoyescitrixsearch.thumb.JPG.6b38dea26ac6c134c3ca382b9ec47398.JPG

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...