Domain users getting Server Desktop
Hello Experts
Having permissions problems (I think) with our 4 server farm. All machines are Windows 2000 Servers (Post SP-4 Rollup applied) w/PS4.0 patched thru PS400W2KR04. When it was just a single server farm all domain users coming in via the Web interface OR PN got the published Desktop with appropriate permissions (i.e. they could log off or disconnect but not restart or shut down the server). Every server (and published desktop) I've added to the farm since the initial setup won't give users the desktop unless I add them to the local Admins group after which they get access but also the ability to restart/shut down the machine.
I've compared group memberships, permission settings, etc. on the new machines to the initial one and cannot find anything different that is causing this change in access permissions. Any help to get this problem solved would be most appreciated. TIA.
Having permissions problems (I think) with our 4 server farm. All machines are Windows 2000 Servers (Post SP-4 Rollup applied) w/PS4.0 patched thru PS400W2KR04. When it was just a single server farm all domain users coming in via the Web interface OR PN got the published Desktop with appropriate permissions (i.e. they could log off or disconnect but not restart or shut down the server). Every server (and published desktop) I've added to the farm since the initial setup won't give users the desktop unless I add them to the local Admins group after which they get access but also the ability to restart/shut down the machine.
I've compared group memberships, permission settings, etc. on the new machines to the initial one and cannot find anything different that is causing this change in access permissions. Any help to get this problem solved would be most appreciated. TIA.
Just a thought, is the affected server is Terminal server is installed in the Administration mode other than application server mode?
ASKER
All affected servers are in Application Server mode.
ASKER
Any other help on this issue would be appreciated. Thanks.
Without the administrative privilege, while you open the published desktop, what error message you get?
Have you correctly configured the Zone seetings?
Pls update
Have you correctly configured the Zone seetings?
Pls update
ASKER
The error message is something like "The desktop you are trying to open is available only to administrators."
I'm not sure what zone settings you are referring to?
I'm not sure what zone settings you are referring to?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Both links above refer to PS3.0 on Windows 2003 Server. Our environment is PS4.0 on Windows 2000 platform...
Checked the RDP and ICA listener settings anyway but that doesn't resolve the situation.
Anyone else have an idea on what/where to check to address this problem? Thanks.
Checked the RDP and ICA listener settings anyway but that doesn't resolve the situation.
Anyone else have an idea on what/where to check to address this problem? Thanks.
ASKER
Please help! Perhaps the question is more difficult than I thought so I've increased the point value accordingly. Any assistance would be MOST appreciated. Thanks.
this may be the answer you are looking for:
log into the server as an admin
go to Start > Programs > Citrix> Administration Tools > Citrix Connection Configuration Tool
open the ICA Listener and then click the "Advanced" button
Make sure the box is UNchecked for "Only Launch Published Applications"
You can do the same on the RDP listener if you desire
log into the server as an admin
go to Start > Programs > Citrix> Administration Tools > Citrix Connection Configuration Tool
open the ICA Listener and then click the "Advanced" button
Make sure the box is UNchecked for "Only Launch Published Applications"
You can do the same on the RDP listener if you desire
What mqcIT proposes has ALWAYS worked for me. If this doesn't resolve your issue it looks like a $400 call to Citrix tech support is in order.
- Do you remember, or installed any inappropriate hotfix? Uninstall it. Compare the hotfix listing with your working CTX server.
- Do you have any published applications, other than Published desktop? What happens when you run that application while user and Administrator?
- Do you have any published applications, other than Published desktop? What happens when you run that application while user and Administrator?
ASKER
Thanks for the suggestions.
I've checked the listener settings per mqcIT's advice and all three servers are the same (i.e. Only Launch Published Applications is UNchecked) in that regard. Back when it was just a single server farm, the original server did have two published applications in addition to the published desktop. As I mentioned previously, users granted access to the published desktop on that machine received appropriate permissions without having to add them to the local Admins group.
As each new server has been added to the farm I've tried to set each one up the same as the original server as possible. The original server had hotfix PSE400W2KR02.0.1, then PSE400W2KR03 and PSE400W2KR04 applied to it. As each new server has been added it received the most recent hotfix avail. at that time so...Server02 only has PSE400W2KR03 and PSE400W2KR04 applied while the newest server, Server03 only has PSE400W2KR04 applied. I've worked under the assumption that the hotfixes are cumulative and contain all hotfixes from earlier releases, is that correct or not?
Publishing the desktop on subsequent servers results in users receiving an error message that "the desktop you are trying to open is available only to administrators..." requiring me to add them to the local Admins group before they can get access after which, of course, they get the server desktop but not the published one...
As far as I can tell, the only diff. is the original machine has the PSE400W2KR02.0.1 hotfix (Server03 missing earlier releases). I've only got a small number of users accessing published desktops, so the approach I've taken is to train each of them on what not to do (i.e. don't shut down the server when logging off!). That's working right now, but obviously is not the desired solution.
All three servers are production servers, so rebuilding or taking any of them offline is not a viable option. I'm in the process of building a 4th test server to try and troubleshoot this issue. Hopefully Server04 will give me an opportunity to test some alternatives approaches to solving this little problem.
Any other suggestions (save for the $400 call to Citrix tech support!) are appreciated. Thanks again for your help.
I've checked the listener settings per mqcIT's advice and all three servers are the same (i.e. Only Launch Published Applications is UNchecked) in that regard. Back when it was just a single server farm, the original server did have two published applications in addition to the published desktop. As I mentioned previously, users granted access to the published desktop on that machine received appropriate permissions without having to add them to the local Admins group.
As each new server has been added to the farm I've tried to set each one up the same as the original server as possible. The original server had hotfix PSE400W2KR02.0.1, then PSE400W2KR03 and PSE400W2KR04 applied to it. As each new server has been added it received the most recent hotfix avail. at that time so...Server02 only has PSE400W2KR03 and PSE400W2KR04 applied while the newest server, Server03 only has PSE400W2KR04 applied. I've worked under the assumption that the hotfixes are cumulative and contain all hotfixes from earlier releases, is that correct or not?
Publishing the desktop on subsequent servers results in users receiving an error message that "the desktop you are trying to open is available only to administrators..." requiring me to add them to the local Admins group before they can get access after which, of course, they get the server desktop but not the published one...
As far as I can tell, the only diff. is the original machine has the PSE400W2KR02.0.1 hotfix (Server03 missing earlier releases). I've only got a small number of users accessing published desktops, so the approach I've taken is to train each of them on what not to do (i.e. don't shut down the server when logging off!). That's working right now, but obviously is not the desired solution.
All three servers are production servers, so rebuilding or taking any of them offline is not a viable option. I'm in the process of building a 4th test server to try and troubleshoot this issue. Hopefully Server04 will give me an opportunity to test some alternatives approaches to solving this little problem.
Any other suggestions (save for the $400 call to Citrix tech support!) are appreciated. Thanks again for your help.
Hotfixes are cumulative.
Haven't you spent more than $400 worth of your time and company time trying to figure this out?
Haven't you spent more than $400 worth of your time and company time trying to figure this out?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did the trick! After double-checking the listener settings (both RDP and ICA) and clearing the Only Launch Published Applications checkbox (which I DID need to do ealier per Bashreetpt's suggestion), their RDP logins (per mgcIT's suggestion) still gave them permission to shutdown the server. That result reminded me that I overlooked removing desktop users from the local Admins group (mea culpa). Once I removed users from that security group it resulted in new profiles being generated at next logon with appropriate permissions. Thanks to you both for the help.