• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1046
  • Last Modified:

Granting Users Permission for Remote Access

When I changed the domain on our Citrix server to our new domain controller, I had an Issue with logging non-administrators into it. Whenever someone tried to login that wasn't an administrator, they would two errors.

The first error (which came from the citrix client itself) was:
The desktop you are trying to open is currently available only to administrators. Contact your administrator to confirm that the correct settings are in place for your client connection.

The second error (which came from the server) was:
To log on to this remote computer, you must have terminal server user access permissions on this computer. By default, members of the remote desktop users group have these permissions. If you are not a member of the remote desktop users group or another group that has these permissions, or if the remote desktop user group does not have these permissions, you must be granted these permissions manually.

So, after this, I decided to setup a new citrix server on a test box, and the second I did, I got the same exact issue so I'm back to square one. This is running on windows server 2003 standard and is connecting to a 2003 SBS server. Does anyone have an idea as to why this is happening?
0
supanatral
Asked:
supanatral
  • 4
  • 3
  • 2
  • +1
4 Solutions
 
HerrmannatorCommented:
Not sure if I understand question, but generally you should have an AD group containing all your Citrix users in it, and then you should add this AD group to the Remote Desktop Users group on each Citrix Server.  Do you already have this?
0
 
Carl WebsterCommented:
Server 2003 changed a bit from 2000.  In 2003 you are required to add users to the Remote Desktop Users group to alow them to have terminal service access to the server.  If a user is not in that local group then no access is granted to that server.

http://support.microsoft.com/kb/289289
0
 
HerrmannatorCommented:
And you would want to add the users as as group (ie, create an AD group and add all the users to it, then add it to the local Remote Desktop Users group on each Citrix server).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
supanatralAuthor Commented:
Where do I add the AD group locally?
0
 
Carl WebsterCommented:
I create an OU called CitrixUsers
Inside that OU I place all my Citrix users
Inside that OU I have two security groups: CitrixAdmins and CitrixUsers
Every user account in the OU CitrixUsers gets added to the security group CitrixUsers
Every user account with a description of CTXADMIN gets added to the security group CitrixAdmins
The security group CitrixAdmins gets added as Full Farm Administrators
The security group CitrixUsers gets added to the domain group Remote Desktop Users
In the Citrix server's local Remote Desktop Users group it will depend on how you install XenApp.  You can either add your domain CitrixUsers group or Authenticated Users.   I do the latter.


Here are the commands I accomplish all this with:

Dsadd ou "ou=CitrixServers,dc=citrixlab,dc=local" -desc "OU for all Citrix XenApp Servers"

Dsadd ou "ou=CitrixUsers,dc=citrixlab,dc=local" -desc "OU for all Citrix users"

Dsadd group "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix users"

Dsadd group "cn=CitrixAdmins,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix Admins"

Dsmod group "cn=Remote Desktop Users,cn=Builtin,dc=citrixlab,dc=local" -addmbr "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -c

rem example of adding two users for my lab so ignore the pwd never expires

Dsadd user "cn=awebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid awebster -upn awebster@citrixlab.local -fn Annette -ln Webster -display "Annette Webster" -pwd P@$$w0rd -desc CTXUSER -mustchpwd no -pwdneverexpires yes

Dsadd user "cn=cwebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid cwebster -upn cwebster@citrixlab.local -fn Carl -ln Webster -display "Carl Webster" -pwd P@$$w0rd -desc CTXADMIN -mustchpwd no -pwdneverexpires yes

Rem any user in the CitrixUsers OU that has a description of CTXADMIN gets added to the CitrixAdmin security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -desc "CTXADMIN" -limit 0 | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem all users in the CitrixUsers OU get added to the CitrixUsers security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem removed all disabled accounts from the CitrixAdmins group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled -desc "CTXADMIN" | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c

Rem removed all disabled accounts from the CitrixUsers group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c
0
 
HerrmannatorCommented:
What I do is create the AD group called "Citrix Users" in active directory.  Then on the server, r-click on "My Computer" and select "Manage".  Then go to "Local Users and Groups" and find "Remote Desktop Users".  Open this group and then add your new AD group as a member of the local "Remote Desktop Users" group.  You need to do this on each Citrix server.  This way your users can stay in whatever OU they are already in.
What is best for you depends on your organization structure and preference.
0
 
supanatralAuthor Commented:
Alright, I did that. Actually, I added "domain users" to the local remote desktop group but it still doesn't work. I keep on getting those two errors. Is it possible that somewhere in citrix, I've selected that only administrators can log in?
0
 
Carl WebsterCommented:
Check the Local Security Policy on the Citrix servers.

Local Policies
User Rights Assignment
Allow log on through Terminal Servcies

My server has Administrators and Remote Desktop Users allowed that right.
0
 
HerrmannatorCommented:
You can also check "terminal services configuration" --> connections -->ICPtcp --> r-click: properties --> Permissions tab.  You should see "remote desktop users" and "ctx_cpsvcuser"  in the list.
ALSO, check your Event Log looking for TS Licensing errors.  Sometimes you can see this error if your Citrix server cannot find a valid TS license server.
 
0
 
hodgeyohnCommented:
1.  the first issue is a property under terminal services configuration.  only allows standard users to connect to published applications.
2.  i have seen this on several occasions.  believe it or not it can be a license issue.  make sure you do not have any issues in the event log for licensing.  also test it via terminal service.  does TS work for standard users.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now