Solved

Access to Xen App Fundamentals

Posted on 2011-02-22
25
1,350 Views
Last Modified: 2012-06-22
We have a xen app server that is running xen app fundamentals.  We have 25 licenses. We are running into a problem where users who dont need access are logging into Xen Apps.
What can be done to only allow the 25 users that should have access log in?  And when a user that is not suppose to have access be denied?  When a user that logs in and is not suppose to have access, it take a license and then it needs to be revoked to free it up.
0
Comment
Question by:maximus7569
  • 15
  • 10
25 Comments
 
LVL 2

Expert Comment

by:rrusch
ID: 34956421
Hi

Make sure that only allowed users (and possibly admin) are in the local "remote desktop users" group on the terminal server.

Actually I create a Group in the Domain called TS_USERS and then I add this group to all terminal servers "remote desktop users" group. Then I can simply add users to TS_USERS.
0
 

Author Comment

by:maximus7569
ID: 34956448
Will this work even though I am running Citrix and not just Terminal server?  
0
 

Author Comment

by:maximus7569
ID: 34956481
Could you be a more specific as to step by step?  The admin who does this actually quit and I got stuck with this.
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34956575
Ok, no prob. Citrix is an extension to microsoft terminal server.

1. Create a security group in your AD called for ex. GE_TSUSER
2. Add allowed users to this group
3. open computer management on the terminal server
4. add GE_TSUSER to the local "Remote Desktop Users"
5. remove other groups like "domain users" or "Everyone"

Don't do that if all users are logged on since group membership is only evaluated on logon.
If you are unsure what to remove from "Remote Desktop Users" please post a list of users/groups in this local group.





Remotedesktopverbindung-2011-02-.png
0
 

Author Comment

by:maximus7569
ID: 34956680
Citrix ServerThis is what I have.  Is this right?
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34956802
No, you are looking at "Terminal Server Computers".
The Group in question is "Remote Desktop Users" - 7 Lines up in your image.
0
 

Author Comment

by:maximus7569
ID: 34956835
Sorry about that I meant the remote desktop users.  I created the security group Xen Apps with all the users who need access to Xen App server.  I added the Xen apps group to Remote Desktop on the Xen App server.  I tried to log in as another user and was able to.  Did  I miss something.  Here are some snap shots. Remote Desktop
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34956860
You have to remove "Authenticated Users" since almost all users are a member of this windows built in group.
0
 

Author Comment

by:maximus7569
ID: 34956866
Done should this block any other domain user to login now?
0
 

Author Comment

by:maximus7569
ID: 34956873
I am still able to login with another user that is not part of the Xen Apps group.  Did I miss something?
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34956925
Please also check Group Policy:

Start > run
type gpedit.msc
Check value of "Allow log on through Terminal Services"

There should be no more than Administrators and Remote Desktop Users

Remotedesktopverbindung-2011-02-.png
0
 

Author Comment

by:maximus7569
ID: 34956952
This is what I have. Terminal Server Logon
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:rrusch
ID: 34956971
Do your users work as administrators?
0
 

Author Comment

by:maximus7569
ID: 34956980
I actually just created a new user and he is only a domain user.  I was able to login as him.
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34957035
There seems to be a strange configuration in place. Please check the members of the local "Administrators" group.
0
 

Author Comment

by:maximus7569
ID: 34957064
ok I will check that.
0
 

Author Comment

by:maximus7569
ID: 34965371
no they are not in there
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34965621
Ok, it is also possible to set user access in Terminal Services Configuration. Please check that also: Start > run > tscc.msc


Remotedesktopverbindung-2011-02-.png
0
 

Author Comment

by:maximus7569
ID: 34965718
I dont have that. This is what I have.

Terminal-Cofig.JPG
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34965892
In Windows 2008 Server its in role configuration. Sorry for the printscreen in german but i have no english win 2k8 terminal server at the moment.
Remotedesktopverbindung-2011-02-.png
0
 

Author Comment

by:maximus7569
ID: 34965920
0
 

Accepted Solution

by:
maximus7569 earned 0 total points
ID: 34965932
Would it be easier to take out domain users out of here and add the security group I made?
XenApp.JPG
0
 
LVL 2

Expert Comment

by:rrusch
ID: 34965992
Yes, you can do that. I think you should also add Domain Admins group.
0
 

Author Comment

by:maximus7569
ID: 35000379
Looks like modifying access in the Xen App console fixed it.
0
 

Author Closing Comment

by:maximus7569
ID: 35045538
As I was looking to fix this solution, I looked in the Xen App console and looked to where you could secure Xen App by OUs.  I was unable to fix with the assistance that was provided.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Citrix XenDesktop 7.6 Citrix Policies Audio
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now