Citrix access and Remote Desktop Users group


I have an application, App1, published to 4 Citrix PS4 servers; ServerA - D.

We have a multi-domain forest. Our domain is

Within the CMC, App1 is published to the security group.

On Servers A  - D, the Users is added to the Remote Desktop Group.

Everything works fine. However, we have a user in that wants to be able to use App1. he has been added to\HR, however cannot access the app.

Couple of questions;

a) Does the HR group need to be Universal
b) Does the user from need to be added to the Remote Desktop Users group of the four servers?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The HR group should be part of Active Directory, not local to each server. The application should be listed in the CMC only once, referencing all four servers with load balancing established. The application should have the AD Group "HR" as a group that can access the application (it's typically as DOMAIN\group if you just add it by typing instead of browsing).  Check all of these things and let me know.
a) Yes
b) Yes, either directly or as part of a group such as "\domain users"
FYI, might be better to have a somewhat stricter policy as to who is part of the RDP users group.  One easy way to do this would be to create a Universal AD group called "Citrix User Groups" or something similar.  Then add all AD groups that have explicit access to some part of the Citrix farm (such as the HR security AD group you referenced earlier, and all the other AD groups).
Then, once all the groups are added, including Admins, then you add this group to the Remote Desktop Users group on each server, and remove the domain users groups.
(All this does is make sure just any domain user cannot RDP to your server if they have no reason to be using it.  So if everyone in all domains should be accessing Citrix, then I guess it was OK the way you already had it).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.