Link to home
Start Free TrialLog in
Avatar of helpatudallshumwaycom
helpatudallshumwaycom

asked on

Deny user terminal server access. Urgent

I'm running Citrix/Terminal Services on a Windows 2000 Server, in a Windows Server 2003 domain.  I need to prevent one specific user from logging in to Citrix but still allow him to logon onto the domain in the office.  

This is extremely urgent.
Avatar of oBdA
oBdA

Open the user's properties in the ADUC console, go to the Terminal Services Profile tab, and check the "Deny logon to terminal services" checkbox.
Avatar of helpatudallshumwaycom

ASKER

I tried that yesterday, but he was still able to logon in last night.  The check box says: "Deny this user permissions to log on to any Terminal Server".  I assume now that this prevents the user from logging on to the TS locally, but any clarification would help.
If he's logging on to Citrix, why not remove him from the security groups of the published applications or the published desktop? Or how are you organizing access to the applications on the terminal server currently?
Users receive a full desktop so they can be fully functional from home.  The published desktop does not have any users explicitly added to it.  I assume that all domain users have been granted access to login.

I inherited this Citrix setup from a previous tech and have no documentation on its configuration.
SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I checked into the security groups.  The group used to grant permission (Configured Accounts) appears to be an NT group that was created before we changed to AD.  I cannot find the NT group using Look-In, I think the group was retired when our domain changed.  However, new users that have joined since then have still been able to login in to Citrix.  I have created a group (Citrix-Access) to include only the users that should have access.   In the absence of a relevant security group, will Citrix allow any authenticated Domain User to log on?  

I'm sorry for the clarification, but I can't risk locking everyone out.  If I remove the old domain group, I don't think I can get it back.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
oBdA, thanks for reminding me about the Citrix security settings on published apps.  Also, thanks to BLipman, yours was the critical answer to my Citrix dilema.  Thank you both for the quick responses.