• Citrix XenApp 6.5 Worker Groups Based on Organizational Unit Oddity

    Recently a friend asked me if a Worker Group based on an Organization Unit (OU) would contain servers contained in sub OUs.  I had no idea, so I had to test it to see for myself.  What I found surprised me.

    Worker Groups are supposed to make administering published resources easier on XenApp farm administrators.  Before Worker Groups, if you added five new XenApp servers, you had to go and update every published resource that would now be served by the new servers.  With a Worker Group, you base the published resource on a Worker Group and as servers are added or removed from the Worker Group nothing needs to be changed on the published resource.

    To see what happens with Worker Groups and nested OUs, I created an OU structure four levels deep (Figure 1).

    Figure 1
    Figure 1

    Each OU contains one XenApp 6.5 server (Figures 2 through 5).

    Figure 2
    Figure 2
    Figure 3
    Figure 3
    Figure 4
    Figure 4
    Figure 5
    Figure 5

    Next I went into Citrix AppCenter and created a Worker Group based on the TopOU OU (Figure 6).

    Figure 6
    Figure 6

    My JR Test Worker Group now shows all four servers from all four OUs (Figure 7).

    Figure 7
    Figure 7

    When I click on each server in a lower level OU, the Location shows as being in the TopOU OU (Figure 8).

    Figure 8
    Figure 8

    Next I wondered what would happen if I created a Worker Group based on the third level OU (Figure 9)?

    Figure 9
    Figure 9

    The Third Level OU Worker Group contains the servers from the third and fourth level OUs (Figure 10).

    Figure 10
    Figure 10

    There is extremely little information on Worker Groups based on OU.  BTW, Citrix, why do you use the term “Active Directory Container” in your GUI when creating a Worker Group but the Type shows as Organizational Unit in Figure 10?  Active Directory Containers are different than Active Directory OUs!  Even in edocs you are confusing: “Select Active Directory Containers to add servers based on organizational unit membership”.

    I have no idea why a Worker Group based on one OU would contain servers from lower level OUs.  If you don’t want servers from lower level OUs to be in a Worker Group then you will have to redesign your OU structure.  Thanks Citrix (implied sarcasm intended).

    , ,

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    7 Responses to “Citrix XenApp 6.5 Worker Groups Based on Organizational Unit Oddity”

    1. Jörn Says:

      Hi,

      a server reboot isnt really nessecary. It is enough to perform a gpupdate and afterwards to restart IMA.

      Jörn

      Reply

      • Carl Webster Says:

        Jörn,

        That is not 100% accurate. If a XenApp server has been moved into a new OU, the server will not get any new computer based AD GPOs unless the server is restarted. And if the Citrix Policies are AD based then those computer based policy settings will not be retrieved until a server reboot. So while you may be able to do a gpupdate and restart the IMA service to affect the Worker Group stuff, you are not getting everything you need in an AD environment unless you reboot the server.

        Webster

        Reply

    2. Vincent SCOTTO Says:

      I try to organize my policies and apps with worker groups. I have a strange issue. I don’t know if you encounter this…
      When I add an OU in a worker group, the console does not add all the servers of the OU and it is shown as “unknown item : SID_of_the_OU_object”

      Reply

      • Carl Webster Says:

        Are you talking about adding a new OU to an existing Worker Group already based on an OU?

        I have had some people report issues after moving a XenApp server into an OU forgetting that after you move a server into a new OU, the server MUST be rebooted. That way the server gets the GPOs assigned to the new OU and the data store database gets updated with the new information.

        Thanks

        Webster

        Reply

    3. Kees Baggerman Says:

      I’ve noticed this too, had to do a redesign of the XA OU structure. I noticed that a server remains a member of a workergroup based on AD, even if you move it to another OU. A server reboot is needed to ‘switch’ the workergroup.

      Cheers,

      Kees

      Reply

      • Carl Webster Says:

        If you move any server in Active Directory to another OU, a server reboot is required so the server picks up any GPO changes required by the OU change.

        Webster

        Reply

    Leave a Reply