?
Solved

Granting Users Permission for Remote Access

Posted on 2008-11-12
11
Medium Priority
?
1,026 Views
Last Modified: 2012-05-05
When I changed the domain on our Citrix server to our new domain controller, I had an Issue with logging non-administrators into it. Whenever someone tried to login that wasn't an administrator, they would two errors.

The first error (which came from the citrix client itself) was:
The desktop you are trying to open is currently available only to administrators. Contact your administrator to confirm that the correct settings are in place for your client connection.

The second error (which came from the server) was:
To log on to this remote computer, you must have terminal server user access permissions on this computer. By default, members of the remote desktop users group have these permissions. If you are not a member of the remote desktop users group or another group that has these permissions, or if the remote desktop user group does not have these permissions, you must be granted these permissions manually.

So, after this, I decided to setup a new citrix server on a test box, and the second I did, I got the same exact issue so I'm back to square one. This is running on windows server 2003 standard and is connecting to a 2003 SBS server. Does anyone have an idea as to why this is happening?
0
Comment
Question by:supanatral
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:Herrmannator
ID: 22944689
Not sure if I understand question, but generally you should have an AD group containing all your Citrix users in it, and then you should add this AD group to the Remote Desktop Users group on each Citrix Server.  Do you already have this?
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 22944911
Server 2003 changed a bit from 2000.  In 2003 you are required to add users to the Remote Desktop Users group to alow them to have terminal service access to the server.  If a user is not in that local group then no access is granted to that server.

http://support.microsoft.com/kb/289289
0
 
LVL 8

Expert Comment

by:Herrmannator
ID: 22945039
And you would want to add the users as as group (ie, create an AD group and add all the users to it, then add it to the local Remote Desktop Users group on each Citrix server).
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:supanatral
ID: 22949856
Where do I add the AD group locally?
0
 
LVL 37

Accepted Solution

by:
Carl Webster earned 1000 total points
ID: 22950153
I create an OU called CitrixUsers
Inside that OU I place all my Citrix users
Inside that OU I have two security groups: CitrixAdmins and CitrixUsers
Every user account in the OU CitrixUsers gets added to the security group CitrixUsers
Every user account with a description of CTXADMIN gets added to the security group CitrixAdmins
The security group CitrixAdmins gets added as Full Farm Administrators
The security group CitrixUsers gets added to the domain group Remote Desktop Users
In the Citrix server's local Remote Desktop Users group it will depend on how you install XenApp.  You can either add your domain CitrixUsers group or Authenticated Users.   I do the latter.


Here are the commands I accomplish all this with:

Dsadd ou "ou=CitrixServers,dc=citrixlab,dc=local" -desc "OU for all Citrix XenApp Servers"

Dsadd ou "ou=CitrixUsers,dc=citrixlab,dc=local" -desc "OU for all Citrix users"

Dsadd group "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix users"

Dsadd group "cn=CitrixAdmins,ou=CitrixUsers,dc=citrixlab,dc=local" -secgrp yes -desc "Security Group for all Citrix Admins"

Dsmod group "cn=Remote Desktop Users,cn=Builtin,dc=citrixlab,dc=local" -addmbr "cn=CitrixUsers,ou=CitrixUsers,dc=citrixlab,dc=local" -c

rem example of adding two users for my lab so ignore the pwd never expires

Dsadd user "cn=awebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid awebster -upn awebster@citrixlab.local -fn Annette -ln Webster -display "Annette Webster" -pwd P@$$w0rd -desc CTXUSER -mustchpwd no -pwdneverexpires yes

Dsadd user "cn=cwebster,ou=CitrixUsers,dc=citrixlab,dc=local" -samid cwebster -upn cwebster@citrixlab.local -fn Carl -ln Webster -display "Carl Webster" -pwd P@$$w0rd -desc CTXADMIN -mustchpwd no -pwdneverexpires yes

Rem any user in the CitrixUsers OU that has a description of CTXADMIN gets added to the CitrixAdmin security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -desc "CTXADMIN" -limit 0 | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem all users in the CitrixUsers OU get added to the CitrixUsers security group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -chmbr -c

Rem removed all disabled accounts from the CitrixAdmins group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled -desc "CTXADMIN" | dsmod group "cn=citrixadmins,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c

Rem removed all disabled accounts from the CitrixUsers group

dsquery user "ou=citrixusers,dc=citrixlab,dc=local" -limit 0 -disabled | dsmod group "cn=citrixusers,ou=citrixusers,dc=citrixlab,dc=local" -rmmbr -c
0
 
LVL 8

Assisted Solution

by:Herrmannator
Herrmannator earned 1000 total points
ID: 22950592
What I do is create the AD group called "Citrix Users" in active directory.  Then on the server, r-click on "My Computer" and select "Manage".  Then go to "Local Users and Groups" and find "Remote Desktop Users".  Open this group and then add your new AD group as a member of the local "Remote Desktop Users" group.  You need to do this on each Citrix server.  This way your users can stay in whatever OU they are already in.
What is best for you depends on your organization structure and preference.
0
 

Author Comment

by:supanatral
ID: 22951034
Alright, I did that. Actually, I added "domain users" to the local remote desktop group but it still doesn't work. I keep on getting those two errors. Is it possible that somewhere in citrix, I've selected that only administrators can log in?
0
 
LVL 37

Assisted Solution

by:Carl Webster
Carl Webster earned 1000 total points
ID: 22951101
Check the Local Security Policy on the Citrix servers.

Local Policies
User Rights Assignment
Allow log on through Terminal Servcies

My server has Administrators and Remote Desktop Users allowed that right.
0
 
LVL 8

Assisted Solution

by:Herrmannator
Herrmannator earned 1000 total points
ID: 22951305
You can also check "terminal services configuration" --> connections -->ICPtcp --> r-click: properties --> Permissions tab.  You should see "remote desktop users" and "ctx_cpsvcuser"  in the list.
ALSO, check your Event Log looking for TS Licensing errors.  Sometimes you can see this error if your Citrix server cannot find a valid TS license server.
 
0
 
LVL 9

Expert Comment

by:hodgeyohn
ID: 22952760
1.  the first issue is a property under terminal services configuration.  only allows standard users to connect to published applications.
2.  i have seen this on several occasions.  believe it or not it can be a license issue.  make sure you do not have any issues in the event log for licensing.  also test it via terminal service.  does TS work for standard users.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question