Before Windows 2003 Server you needed to configure your specific RDP settings via the Terminal Services Configuration on each server individually, but now Microsoft added these settings to the GPO’s. In this way you need to configure these setting only once and all servers in the OU of that GPO gets those settings.
Let’s take a look at these settings in a short overview with the GPO editor under Computer Configuration – Administrative Templates – Windows Components – Terminal Services. The most used settings can be found within the subfolder Client/Server data redirection and Sessions. Within the subfolder Client/Server redirection you can enable or disable lots of client redirections, like printers, drives and ports. Within the subfolder Sessions, the settings for time limit, disconnection and reconnection can be found.
Figure 1: GPO Editor on the Terminal Service settings
Wonderful settings if you are using Terminal Server, but what happens if you are using these settings on a Terminal Server where Citrix Presentation Server is installed?
RDP GPO setting and your Citrix servers
First of all, why should you configure these Remote Desktop Protocol (RDP) settings on your Citrix Presentation Server, since Citrix is not using the RDP protocol but its own ICA protocol? There are several reasons why you want to configure RDP settings on your Citrix PS servers, but the most logical is that you do not want administrators connecting via RDP and redirecting their local printers to your servers (remember that administrators can always install printer drivers with redirect printers) and/or consuming resources without doing any tasks on that server.
When setting up your GPO RDP settings you can prohibit this behavior. So, you setup, for example, the GPO settings “Do not allow client printer redirection”, “Set a time limit for active terminal sessions”, “Terminate sessions when time limit is reached” and/or other settings. After a while these settings are applied and some time later something strange begins happening. Your Citrix users are complaining that their sessions are terminated and when they log in their printers are not available.
As administrator you are going to troubleshoot your environment. When opening the Citrix Connection Configuration you are pretty surprised. Several settings are grayed out, which you normally can edit. If you take a closer look, you see that the settings you made are still in the right place. In our example, below in Figure 2, the options “Disable Client Drive Mapping” and “Disable Windows Client Printer Mapping” are grayed out. But the options are not disabled, as you can see. So the Citrix sessions of your users’ printers available on the local machines should be mapped into their Citrix session.
Figure 2: Citrix Connection Configuration with grayed out options
Figure 3: Another example of the Citrix Connection Configuration with grayed out options
In Figure 3 you can also see some grayed out options. All your connection settings are still default and a broken connection should have been disconnected. But your users cannot reconnect to their session so it looks like the connections have been reset.
When you open the Terminal Services Configuration utility to view your RDP settings you also see grayed out options. You immediately see these are exactly the same settings which are grayed out in the Citrix Connection Configuration Utility.
You are now completely confused. Why is your environment showing this behavior? Rethinking which changes should be made the only one you can imagine is setting the GPO settings for your RDP connections.
At this moment, you are experiencing how RDP settings via the Windows 2003 Group Policy Objects can harm your Citrix Presentation Servers. When editing the Group Policy Object for the Terminal Services tab, you thought you were making these settings specific for the Remote Desktop Protocol. The logical way of looking at this was: Microsoft provides Terminal Services via the RDP protocol, so if you configured Terminal Services settings within the Group Policy Objects that would be settings for the RDP protocol.
But some how, it looks as if the Citrix’s Independent Component Architecture (ICA) protocol is using the same settings, in spite of the settings configured with the Citrix Connection Configuration Utililty.
This behavior explained
All GPO settings are saved into the registry. Machine settings are saved in the HKEY Local Machine part of the registry. If you take a look at the registry you will find that the normal place for ICA (ICA-TCP) and RDP (RDP-TCP) settings is within the key:
It is pretty easy to translate the shortname values in the registry to the corresponding setting within the Citrix Configuration Utility. Some examples: fDisableCpm is: Disable Windows Client Printer ,fResetBroken is: On a broken or timed-out connection [reset/disconnect] the session, and MaxConnectionTime is Connection Time Out Settings.
The “check options” have a value of DWORD 0 (checkbox unchecked) or 1 (checkbox checked). The connection settings are DWORD, which can be counted back to decimal counters. A short check tells you that the values are correctly corresponding to your configuration made within the utility.
The behavior is caused by the way Microsoft has implemented the Terminal Services GPO settings. The GPO settings are not directly set on the registry keys where the Terminal Service Configuration utility and Citrix Connection Configuration utility are saving their settings (that is the place in the registry we just took a look at) but in a very different place in the registry.
Searching further in the registry you will find the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services], where you will find the same values saved with the settings you entered in the GPO editor.
Figure 4: Example of the Policy registry key
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
This Policies registry key has a higher priority than the other keys. Therefore, these policy settings are overruling your specially configured ICA settings (again which are saved in the subkey of the Winstation key).
When de-configuring the Terminal Services GPO settings you will notice that the options within the Citrix Connection Configuration utility will not be grayed out anymore. Also your users will not notice that strange behavior anymore.
Because Microsoft does not edit the RDP settings directly in the value but via the Policies registry key, this causes all protocols to inherit the settings in that policy. This, in turn, causes Citrix settings to be overruled by this policy, which causes unexpected behavior when connecting to the Terminal Server via the Citrix ICA protocol.
Because of this behavior, my advice is not to use the GPO settings within Windows 2003 on a Citrix Presentation Server. If you would like to set these settings in a central place the best way to do this would be to create your own ADM template which sets the RDP settings directly on the values within the Winstation key.