Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 515
  • Last Modified:

Domain users getting Server Desktop

Hello Experts
Having permissions problems (I think) with our 4 server farm. All machines are Windows 2000 Servers (Post SP-4 Rollup applied) w/PS4.0 patched thru PS400W2KR04. When it was just a single server farm all domain users coming in via the Web interface OR PN got the published Desktop with appropriate permissions (i.e. they could log off or disconnect but not restart or shut down the server).  Every server (and published desktop) I've added to the farm since the initial setup won't give users the desktop unless I add them to the local Admins group after which they get access but also the ability to restart/shut down the machine.
I've compared group memberships, permission settings, etc. on the new machines to the initial one and cannot find anything different that is causing this change in access permissions.  Any help to get this problem solved would be most appreciated.  TIA.
0
MutleyFDI
Asked:
MutleyFDI
  • 7
  • 4
  • 2
  • +1
2 Solutions
 
BasheerptCommented:
Just a thought, is the affected server is Terminal server is installed in the Administration mode other than application server mode?
0
 
MutleyFDIAuthor Commented:
All affected servers are in Application Server mode.
0
 
MutleyFDIAuthor Commented:
Any other help on this issue would be appreciated.  Thanks.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
BasheerptCommented:
Without the administrative privilege, while you open the published desktop, what error message you get?
Have you correctly configured the Zone seetings?

Pls update
0
 
MutleyFDIAuthor Commented:
The error message is something like "The desktop you are trying to open is available only to administrators."
I'm not sure what zone settings you are referring to?
0
 
BasheerptCommented:
You may need to edit your connection listener settings. Please follow the link:
http://support.citrix.com/article/CTX104106
http://support.microsoft.com/?kbid=931353

check both RDP and ICA listener settings.

Wish you luck


0
 
MutleyFDIAuthor Commented:
Both links above refer to PS3.0 on Windows 2003 Server.  Our environment is PS4.0 on Windows 2000 platform...
Checked the RDP and ICA listener settings anyway but that doesn't resolve the situation.
Anyone else have an idea on what/where to check to address this problem?  Thanks.
0
 
MutleyFDIAuthor Commented:
Please help!  Perhaps the question is more difficult than I thought so I've increased the point value accordingly.  Any assistance would be MOST appreciated.  Thanks.
0
 
mgcITCommented:
this may be the answer you are looking for:

log into the server as an admin
go to Start > Programs > Citrix> Administration Tools > Citrix Connection Configuration Tool

open the ICA Listener and then click the "Advanced" button

Make sure the box is UNchecked for "Only Launch Published Applications"

You can do the same on the RDP listener if you desire
0
 
Carl WebsterCommented:
What mqcIT proposes has ALWAYS worked for me.  If this doesn't resolve your issue it looks like a $400 call to Citrix tech support is in order.
0
 
BasheerptCommented:
- Do you remember, or installed any inappropriate hotfix? Uninstall it. Compare the hotfix listing with your working CTX server.
- Do you have any published applications, other than Published desktop? What happens when you run that application while user and Administrator?
0
 
MutleyFDIAuthor Commented:
Thanks for the suggestions.
I've checked the listener settings per mqcIT's advice and all three servers are the same (i.e. Only Launch Published Applications is UNchecked) in that regard.  Back when it was just a single server farm, the original  server did have two published applications in addition to the published desktop.  As I mentioned previously, users granted access to the published desktop on that machine received appropriate permissions without having to add them to the local Admins group.
As each new server has been added to the farm I've tried to set each one up the same as the original server as possible.  The original server had hotfix PSE400W2KR02.0.1, then PSE400W2KR03 and PSE400W2KR04 applied to it.  As each new server has been added it received the most recent hotfix avail. at that time so...Server02 only has PSE400W2KR03 and PSE400W2KR04 applied while the newest server, Server03 only has PSE400W2KR04 applied.  I've worked under the assumption that  the hotfixes are cumulative and contain all hotfixes from earlier releases, is that correct or not?
Publishing the desktop on subsequent servers results in users receiving an error message that "the desktop you are trying to open is available only to administrators..." requiring me to add them to the local Admins group before they can get access after which, of course, they get the server desktop but not the published one...
As far as I can tell, the only diff. is the original machine has the PSE400W2KR02.0.1 hotfix (Server03 missing earlier releases).  I've only got a small number of users accessing published desktops, so the approach I've taken is to train each of them on what not to do (i.e. don't shut down the server when logging off!).  That's working right now, but obviously is not the desired solution.
All three servers are production servers, so rebuilding or taking any of them offline is not a viable option.  I'm in the process of building a 4th test server to try and troubleshoot this issue.  Hopefully Server04 will give me an opportunity to test some alternatives approaches to solving this little problem.
Any other suggestions (save for the $400 call to Citrix tech support!) are appreciated.  Thanks again for your help.
0
 
Carl WebsterCommented:
Hotfixes are cumulative.

Haven't you spent more than $400 worth of your time and company time trying to figure this out?
0
 
mgcITCommented:
I'm curious if your users are able to RDP into the server directly without using citrix... do they get the same error? (make sure the rdp listener settings are the same as your ica listener when testing this)
0
 
MutleyFDIAuthor Commented:
That did the trick! After double-checking the listener settings (both RDP and ICA) and clearing the Only Launch Published Applications checkbox (which I DID need to do ealier per Bashreetpt's suggestion), their RDP logins (per mgcIT's suggestion) still gave them permission to shutdown the server.  That result reminded me that I overlooked removing desktop users from the local Admins group (mea culpa).  Once I removed users from that security group it resulted in new profiles being generated at next logon with appropriate permissions.  Thanks to you both for the help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 7
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now