Solved

Domain users getting Server Desktop

Posted on 2007-11-17
15
504 Views
Last Modified: 2013-12-05
Hello Experts
Having permissions problems (I think) with our 4 server farm. All machines are Windows 2000 Servers (Post SP-4 Rollup applied) w/PS4.0 patched thru PS400W2KR04. When it was just a single server farm all domain users coming in via the Web interface OR PN got the published Desktop with appropriate permissions (i.e. they could log off or disconnect but not restart or shut down the server).  Every server (and published desktop) I've added to the farm since the initial setup won't give users the desktop unless I add them to the local Admins group after which they get access but also the ability to restart/shut down the machine.
I've compared group memberships, permission settings, etc. on the new machines to the initial one and cannot find anything different that is causing this change in access permissions.  Any help to get this problem solved would be most appreciated.  TIA.
0
Comment
Question by:MutleyFDI
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 5

Expert Comment

by:Basheerpt
ID: 20304730
Just a thought, is the affected server is Terminal server is installed in the Administration mode other than application server mode?
0
 

Author Comment

by:MutleyFDI
ID: 20304959
All affected servers are in Application Server mode.
0
 

Author Comment

by:MutleyFDI
ID: 20320797
Any other help on this issue would be appreciated.  Thanks.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 20325771
Without the administrative privilege, while you open the published desktop, what error message you get?
Have you correctly configured the Zone seetings?

Pls update
0
 

Author Comment

by:MutleyFDI
ID: 20327142
The error message is something like "The desktop you are trying to open is available only to administrators."
I'm not sure what zone settings you are referring to?
0
 
LVL 5

Assisted Solution

by:Basheerpt
Basheerpt earned 100 total points
ID: 20332778
You may need to edit your connection listener settings. Please follow the link:
http://support.citrix.com/article/CTX104106
http://support.microsoft.com/?kbid=931353

check both RDP and ICA listener settings.

Wish you luck


0
 

Author Comment

by:MutleyFDI
ID: 20378196
Both links above refer to PS3.0 on Windows 2003 Server.  Our environment is PS4.0 on Windows 2000 platform...
Checked the RDP and ICA listener settings anyway but that doesn't resolve the situation.
Anyone else have an idea on what/where to check to address this problem?  Thanks.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:MutleyFDI
ID: 20421106
Please help!  Perhaps the question is more difficult than I thought so I've increased the point value accordingly.  Any assistance would be MOST appreciated.  Thanks.
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 20460701
this may be the answer you are looking for:

log into the server as an admin
go to Start > Programs > Citrix> Administration Tools > Citrix Connection Configuration Tool

open the ICA Listener and then click the "Advanced" button

Make sure the box is UNchecked for "Only Launch Published Applications"

You can do the same on the RDP listener if you desire
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 20461347
What mqcIT proposes has ALWAYS worked for me.  If this doesn't resolve your issue it looks like a $400 call to Citrix tech support is in order.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 20462629
- Do you remember, or installed any inappropriate hotfix? Uninstall it. Compare the hotfix listing with your working CTX server.
- Do you have any published applications, other than Published desktop? What happens when you run that application while user and Administrator?
0
 

Author Comment

by:MutleyFDI
ID: 20464397
Thanks for the suggestions.
I've checked the listener settings per mqcIT's advice and all three servers are the same (i.e. Only Launch Published Applications is UNchecked) in that regard.  Back when it was just a single server farm, the original  server did have two published applications in addition to the published desktop.  As I mentioned previously, users granted access to the published desktop on that machine received appropriate permissions without having to add them to the local Admins group.
As each new server has been added to the farm I've tried to set each one up the same as the original server as possible.  The original server had hotfix PSE400W2KR02.0.1, then PSE400W2KR03 and PSE400W2KR04 applied to it.  As each new server has been added it received the most recent hotfix avail. at that time so...Server02 only has PSE400W2KR03 and PSE400W2KR04 applied while the newest server, Server03 only has PSE400W2KR04 applied.  I've worked under the assumption that  the hotfixes are cumulative and contain all hotfixes from earlier releases, is that correct or not?
Publishing the desktop on subsequent servers results in users receiving an error message that "the desktop you are trying to open is available only to administrators..." requiring me to add them to the local Admins group before they can get access after which, of course, they get the server desktop but not the published one...
As far as I can tell, the only diff. is the original machine has the PSE400W2KR02.0.1 hotfix (Server03 missing earlier releases).  I've only got a small number of users accessing published desktops, so the approach I've taken is to train each of them on what not to do (i.e. don't shut down the server when logging off!).  That's working right now, but obviously is not the desired solution.
All three servers are production servers, so rebuilding or taking any of them offline is not a viable option.  I'm in the process of building a 4th test server to try and troubleshoot this issue.  Hopefully Server04 will give me an opportunity to test some alternatives approaches to solving this little problem.
Any other suggestions (save for the $400 call to Citrix tech support!) are appreciated.  Thanks again for your help.
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 20464429
Hotfixes are cumulative.

Haven't you spent more than $400 worth of your time and company time trying to figure this out?
0
 
LVL 18

Accepted Solution

by:
mgcIT earned 150 total points
ID: 20465588
I'm curious if your users are able to RDP into the server directly without using citrix... do they get the same error? (make sure the rdp listener settings are the same as your ica listener when testing this)
0
 

Author Closing Comment

by:MutleyFDI
ID: 31415135
That did the trick! After double-checking the listener settings (both RDP and ICA) and clearing the Only Launch Published Applications checkbox (which I DID need to do ealier per Bashreetpt's suggestion), their RDP logins (per mgcIT's suggestion) still gave them permission to shutdown the server.  That result reminded me that I overlooked removing desktop users from the local Admins group (mea culpa).  Once I removed users from that security group it resulted in new profiles being generated at next logon with appropriate permissions.  Thanks to you both for the help.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Citrix XenDesktop 7.6 Citrix Policies Graphics
Know what services you can and cannot, should and should not combine on your server.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now