Remember the old IMA versions of Citrix XenApp and XenDesktop where you had to create separate policies for computer settings and user settings? In FMA Citrix 7.x XenApp & XenDesktop platforms, Citrix made it simpler merging both computer and user policies in to one. When creating policies you no longer need to worry about what is a user setting vs. computer. However this merging is merely at the GUI level. At the data level the policies are still split in to two for reasons such as backwards compatability.If you upgraded a Citrix IMA farm to FMA the user and computer IMA policies will have been merged in to one providing they had identical names (case sensitive) and that they could always be managed correctly in the UI. Policies that have different names, enabled or disabled etc. are not candidates for merging. Policies are structued by name, policy settings and assignments (filters) which all must be consistent or else the UI will not be able to merge them each time the database is read. If inconsistencies are found in any policies within 7.x the UI must be able to detect such inconsistencies every time the database is read. Whilst policy settings and names generally are the easier to detect and merge the assignments are most difficult in determining if two policies can be merged because the data that makes up an assignment can be complex.
As a result Citrix will consider policies for merge if they are 100% the assignments in both policies have the same values. If either of the two policies of the same name cannot be merged the GUI will display the following message when you navigate to Citrix Studio -> Policies.
Changes made to policies outside of this console, such as in PowerShell or management tools from previous versions, resulted in a discrepancy between policies. The assigned objects for policy X must match. Object Delivery Group has assignemnts X in the “user” component and X in the “computer” component.
When you get this message, it is up to you to fix. In this scenario the policy XenApp – Global Policy has a different user assignment and computer assignment. This means the user or computer XenApp – Global Policy assignments must have been modified in some way.
Launch PowerShell on a Delivery Controller. Run command asnp Citrix.Comon.GroupPolicy followed by New-PSDrive Site -PSProvider CitrixGroupPolicy -Root \ -Controller localhost. Next run command cd Site:\User.Run command get-item * to display a list of all your user policies. You should be able to see the affected policy as shown below. This policy (user portion) will need renamed so that we can bypass the discrepancy error message. Run command ren “PolicyName” “PolicyName-User” so in this example I am renaming the XenApp – Global Policy to XenApp – Global Policy-User. Now in Studio navigate back to Policies and you will see two policies for XenApp – Global. Since you renamed the user policy at the data (PowerShell) level the policies are no longer merged by the UI and will present themselves as separate policies. Now you need to correct the policy assignments. You could also merge the user or computer settings from one of the policies in to the other or create a brand new policy containing both computer/user settings and correct assignments. If for any reason you want to connect and rename the computer settings policy instead, just change directory to Site:\Computer.
What can cause discrepencies to be found in policies?
There could be a few reasons such as:
- You have upgraded the farm to 7.x. Citrix recommend renaming computer and user policies to make them unique before upgrade to avoid running in to this issue.
- You have edited policies via PowerShell or an older version of Citrix management tools where the policies aren’t shown as merged in the UI. Making changes to the assignments etc. can cause this.
- Keeping the Citrix Studio console opened for a long time then editing policies could also have an effect. Close Studio if it has been opened for over a day before making changes just to ensure you are starting fresh.
Citrix did release a utility to deal with policy discrepancies without having to touch PowerShell – see http://support.citrix.com/article/CTX213722
Policies are still split visually between user and computer when using Group Policy to manage Citrix policies. You should however only use one component (GPMC or Citrix Studio) to manage policies to avoid confusion.