Skip to content
Feb 24 / The Architect

How useful will XenApp6 AD group policy integration be?

With the tech preview of the next release of XenApp now available, I’ve been thinking more about how the AD integration of Citrix policies into AD will actually work in practice.

Advantages

You can apply a particular configuration by just moving the computer object into an OU, and your new server will inherit all the existing Citrix policies defined for that OU. This is especially useful if you use Citrix Provisioning Server to provision servers.

Disadvantages

XenApp admins are used to being “masters of their realm”. Same with the AD admins. And in large corporate environments – never the twain shall meet. XenApp admins wouldn’t let an AD admin lose on their XenApp farm, and likewise an AD admin wouldn’t let the XenApp guys lose in their group policy management console.

This presents a problem when all your XenApp policies are now in AD. Want to tweak that bandwidth throttling policy for ICA? Now it’s a major change to AD potentially impacting hundreds of thousands of users (depending of course on the size of your organization).

Another issue is because of this split of roles in large organisations, XenApp admins now use third party tools such as AppSense and RES PowerFuse to administer and apply policy for their XenApp users with only a few basic machine policies applied by AD. This means changes can be applied quickly, and with all the advanced filtering that these tools bring over and above AD.

So, how to get your XenApp policy (now applied by AD which you have no control over) to integrate with your security and lockdown policy (applied by AppSense which you have full control over)

I’ve yet to see the solution…and can see this issue limiting adoption of XA6 in very large corporates where AD group policy is locked down in stone and takes months of red tape to change.

I’ve yet to see any comment from RES or AppSense on whether their tools will integrate with XA6, but from what I’ve seen of the tech preview, there is no “Export” facility, or access to the native ADMX files.

Leave a comment

You must be logged in to post a comment.