maximus7569
asked on
Access to Xen App Fundamentals
We have a xen app server that is running xen app fundamentals. We have 25 licenses. We are running into a problem where users who dont need access are logging into Xen Apps.
What can be done to only allow the 25 users that should have access log in? And when a user that is not suppose to have access be denied? When a user that logs in and is not suppose to have access, it take a license and then it needs to be revoked to free it up.
What can be done to only allow the 25 users that should have access log in? And when a user that is not suppose to have access be denied? When a user that logs in and is not suppose to have access, it take a license and then it needs to be revoked to free it up.
ASKER
Will this work even though I am running Citrix and not just Terminal server?
ASKER
Could you be a more specific as to step by step? The admin who does this actually quit and I got stuck with this.
Ok, no prob. Citrix is an extension to microsoft terminal server.
1. Create a security group in your AD called for ex. GE_TSUSER
2. Add allowed users to this group
3. open computer management on the terminal server
4. add GE_TSUSER to the local "Remote Desktop Users"
5. remove other groups like "domain users" or "Everyone"
Don't do that if all users are logged on since group membership is only evaluated on logon.
If you are unsure what to remove from "Remote Desktop Users" please post a list of users/groups in this local group.
Remotedesktopverbindung-2011-02-.png
1. Create a security group in your AD called for ex. GE_TSUSER
2. Add allowed users to this group
3. open computer management on the terminal server
4. add GE_TSUSER to the local "Remote Desktop Users"
5. remove other groups like "domain users" or "Everyone"
Don't do that if all users are logged on since group membership is only evaluated on logon.
If you are unsure what to remove from "Remote Desktop Users" please post a list of users/groups in this local group.
Remotedesktopverbindung-2011-02-.png
No, you are looking at "Terminal Server Computers".
The Group in question is "Remote Desktop Users" - 7 Lines up in your image.
The Group in question is "Remote Desktop Users" - 7 Lines up in your image.
ASKER
Sorry about that I meant the remote desktop users. I created the security group Xen Apps with all the users who need access to Xen App server. I added the Xen apps group to Remote Desktop on the Xen App server. I tried to log in as another user and was able to. Did I miss something. Here are some snap shots.
You have to remove "Authenticated Users" since almost all users are a member of this windows built in group.
ASKER
Done should this block any other domain user to login now?
ASKER
I am still able to login with another user that is not part of the Xen Apps group. Did I miss something?
Please also check Group Policy:
Start > run
type gpedit.msc
Check value of "Allow log on through Terminal Services"
There should be no more than Administrators and Remote Desktop Users
Remotedesktopverbindung-2011-02-.png
Start > run
type gpedit.msc
Check value of "Allow log on through Terminal Services"
There should be no more than Administrators and Remote Desktop Users
Remotedesktopverbindung-2011-02-.png
Do your users work as administrators?
ASKER
I actually just created a new user and he is only a domain user. I was able to login as him.
There seems to be a strange configuration in place. Please check the members of the local "Administrators" group.
ASKER
ok I will check that.
ASKER
no they are not in there
Ok, it is also possible to set user access in Terminal Services Configuration. Please check that also: Start > run > tscc.msc
Remotedesktopverbindung-2011-02-.png
Remotedesktopverbindung-2011-02-.png
ASKER
In Windows 2008 Server its in role configuration. Sorry for the printscreen in german but i have no english win 2k8 terminal server at the moment.
Remotedesktopverbindung-2011-02-.png
Remotedesktopverbindung-2011-02-.png
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, you can do that. I think you should also add Domain Admins group.
ASKER
Looks like modifying access in the Xen App console fixed it.
ASKER
As I was looking to fix this solution, I looked in the Xen App console and looked to where you could secure Xen App by OUs. I was unable to fix with the assistance that was provided.
Make sure that only allowed users (and possibly admin) are in the local "remote desktop users" group on the terminal server.
Actually I create a Group in the Domain called TS_USERS and then I add this group to all terminal servers "remote desktop users" group. Then I can simply add users to TS_USERS.