Granting Users Permission for Remote Access

When I changed the domain on our Citrix server to our new domain controller, I had an Issue with logging non-administrators into it. Whenever someone tried to login that wasn't an administrator, they would two errors.

The first error (which came from the citrix client itself) was:
The desktop you are trying to open is currently available only to administrators. Contact your administrator to confirm that the correct settings are in place for your client connection.

The second error (which came from the server) was:
To log on to this remote computer, you must have terminal server user access permissions on this computer. By default, members of the remote desktop users group have these permissions. If you are not a member of the remote desktop users group or another group that has these permissions, or if the remote desktop user group does not have these permissions, you must be granted these permissions manually.

So, after this, I decided to setup a new citrix server on a test box, and the second I did, I got the same exact issue so I'm back to square one. This is running on windows server 2003 standard and is connecting to a 2003 SBS server. Does anyone have an idea as to why this is happening?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not sure if I understand question, but generally you should have an AD group containing all your Citrix users in it, and then you should add this AD group to the Remote Desktop Users group on each Citrix Server.  Do you already have this?
Carl WebsterCitrix Technology Professional - FellowCommented:
Server 2003 changed a bit from 2000.  In 2003 you are required to add users to the Remote Desktop Users group to alow them to have terminal service access to the server.  If a user is not in that local group then no access is granted to that server.
And you would want to add the users as as group (ie, create an AD group and add all the users to it, then add it to the local Remote Desktop Users group on each Citrix server).
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

supanatralAuthor Commented:
Where do I add the AD group locally?
Carl WebsterCitrix Technology Professional - FellowCommented:
I create an OU called CitrixUsers
Inside that OU I place all my Citrix users
Inside that OU I have two security groups: CitrixAdmins and CitrixUsers
Every user account in the OU CitrixUsers gets added to the security group CitrixUsers
Every user account with a description of CTXADMIN gets added to the security group CitrixAdmins
The security group CitrixAdmins gets added as Full Farm Administrators
The security group CitrixUsers gets added to the domain group Remote Desktop Users
In the Citrix server's local Remote Desktop Users group it will depend on how you install XenApp.  You can either add your domain CitrixUsers group or Authenticated Users.   I do the latter.

Here are the commands I accomplish all this with:

Dsadd ou "ou=CitrixServers,dc=citrixlab,dc=local" -desc "OU for all Citrix XenApp Servers"

Dsadd ou "ou=CitrixUsers,dc=citrixlab,dc=local" -desc "OU for all Citrix users"

Dsadd group "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix users"

Dsadd group "cn=CitrixAdmins,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix Admins"

Dsmod group "cn=Remote Desktop Users,cn=Builtin,dc=citrixlab,dc=local" -addmbr "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -c

rem example of adding two users for my lab so ignore the pwd never expires

Dsadd user "cn=awebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid awebster -upn awebster@citrixlab.local -fn Annette -ln Webster -display "Annette Webster" -pwd P@$$w0rd -desc CTXUSER -mustchpwd no -pwdneverexpires yes

Dsadd user "cn=cwebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid cwebster -upn cwebster@citrixlab.local -fn Carl -ln Webster -display "Carl Webster" -pwd P@$$w0rd -desc CTXADMIN -mustchpwd no -pwdneverexpires yes

Rem any user in the CitrixUsers OU that has a description of CTXADMIN gets added to the CitrixAdmin security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -desc "CTXADMIN" -limit 0 | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem all users in the CitrixUsers OU get added to the CitrixUsers security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem removed all disabled accounts from the CitrixAdmins group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled -desc "CTXADMIN" | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c

Rem removed all disabled accounts from the CitrixUsers group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What I do is create the AD group called "Citrix Users" in active directory.  Then on the server, r-click on "My Computer" and select "Manage".  Then go to "Local Users and Groups" and find "Remote Desktop Users".  Open this group and then add your new AD group as a member of the local "Remote Desktop Users" group.  You need to do this on each Citrix server.  This way your users can stay in whatever OU they are already in.
What is best for you depends on your organization structure and preference.
supanatralAuthor Commented:
Alright, I did that. Actually, I added "domain users" to the local remote desktop group but it still doesn't work. I keep on getting those two errors. Is it possible that somewhere in citrix, I've selected that only administrators can log in?
Carl WebsterCitrix Technology Professional - FellowCommented:
Check the Local Security Policy on the Citrix servers.

Local Policies
User Rights Assignment
Allow log on through Terminal Servcies

My server has Administrators and Remote Desktop Users allowed that right.
You can also check "terminal services configuration" --> connections -->ICPtcp --> r-click: properties --> Permissions tab.  You should see "remote desktop users" and "ctx_cpsvcuser"  in the list.
ALSO, check your Event Log looking for TS Licensing errors.  Sometimes you can see this error if your Citrix server cannot find a valid TS license server.
1.  the first issue is a property under terminal services configuration.  only allows standard users to connect to published applications.
2.  i have seen this on several occasions.  believe it or not it can be a license issue.  make sure you do not have any issues in the event log for licensing.  also test it via terminal service.  does TS work for standard users.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.