Jump to content
Welcome to our new Citrix community!
  • 0

Citrix Session Hosts Not Applying AD Group Policy After Reboot


Hitesh Patel1709161783

Question

Afternoon all,

 

We have Citrix PVS 7.33 and we have noticed that after rebooting a Session Host, the AD Group Policy doesn't apply.

 

Reason why I'm posting here is that it's not consistent.  Sometimes the group policy applies and sometimes it doesn't and thought that I can't raise a ticket with support as I can't recreate the error.

 

Has anyone seen this before?  We had a PowerShell script that monitors the D drive and as soon as its drops below 30% available space, it script would put that server into maintenance then reboot the session host overnight.  Can't use this process as I can't guarantee the Policy has applied.

 

Any advice would be greatly appreciated ?

 

Regards

 

Hitesh

Link to comment

4 answers to this question

Recommended Posts

  • 0

I would tattoo the policies into the base image, that way they are in the cache and guaranteed to apply.

 

If they aren't applying correctly after reboots, I would look into Fast Logon and GPO optimizations.  Windows will want to use the cached version over live versions unless you enforce it.

 

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj573586(v=ws.11)

 

 

Link to comment
  • 0

Hi guys

 

by default Server OS doesn't cache GPOs. See the 'Explanation' for GPO setting \Computer Configuration\Administrative Templates\System\Group Policy\Enable Group Policy Caching for Servers"

 

"If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)"

 

Also, have you enabled asynchronous group policy processing?

 

Regards

 

Ken Z

Link to comment
  • 0

 

Hi Guys

 

Thanks for getting back to me.

 

@Jeff Riechers - So when we have to do any kind of update to the gold image (Application, Windows updates etc) the maintenance server that is used is outside of the groups policies are are assigned for user.  That way we have full admin rights to carry out the tasks.  Are you suggested that we do the updates as per our procedures, move the server into the contain which applies all policies for users, reboot so GPO is picked up, capture the image, the roll out?

 

@KAZIMIERZ ZYGMUNT - I don't have the Group Policy Cache for Servers enabled.  I'll give that ago in our test environment and see how that fairs.  I've had a look at the Asynchronous group policy and that setting is not there.  See attached.  Could one work without the other?

 

Thoughts?

 

Hitesh

 

Screenshot 2023-08-11 104452.png

Link to comment
  • 0

Hi Hitesh

 

see this article for a good understanding https://specopssoft.com/blog/things-work-group-policy-caching/

 

group policy caching for servers is disabled by default, but...

 

if you enable "always wait for the network..."  enables synchronous group policy processing

synchronous group policy processing enables group policy caching

 

so be careful of other settings that might have a domino effect causing unexpected settings to be set.

 

also, have you set the "GpNetworkStartTimeoutPolicyValue" registry key?

see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.GroupPolicy::SyncWaitTime

 

Regards

 

Ken Z

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...