Link to home
Start Free TrialLog in
Avatar of maximus7569
maximus7569

asked on

Access to Xen App Fundamentals

We have a xen app server that is running xen app fundamentals.  We have 25 licenses. We are running into a problem where users who dont need access are logging into Xen Apps.
What can be done to only allow the 25 users that should have access log in?  And when a user that is not suppose to have access be denied?  When a user that logs in and is not suppose to have access, it take a license and then it needs to be revoked to free it up.
Avatar of rrusch
rrusch
Flag of Switzerland image

Hi

Make sure that only allowed users (and possibly admin) are in the local "remote desktop users" group on the terminal server.

Actually I create a Group in the Domain called TS_USERS and then I add this group to all terminal servers "remote desktop users" group. Then I can simply add users to TS_USERS.
Avatar of maximus7569
maximus7569

ASKER

Will this work even though I am running Citrix and not just Terminal server?  
Could you be a more specific as to step by step?  The admin who does this actually quit and I got stuck with this.
Ok, no prob. Citrix is an extension to microsoft terminal server.

1. Create a security group in your AD called for ex. GE_TSUSER
2. Add allowed users to this group
3. open computer management on the terminal server
4. add GE_TSUSER to the local "Remote Desktop Users"
5. remove other groups like "domain users" or "Everyone"

Don't do that if all users are logged on since group membership is only evaluated on logon.
If you are unsure what to remove from "Remote Desktop Users" please post a list of users/groups in this local group.





Remotedesktopverbindung-2011-02-.png
User generated imageThis is what I have.  Is this right?
No, you are looking at "Terminal Server Computers".
The Group in question is "Remote Desktop Users" - 7 Lines up in your image.
Sorry about that I meant the remote desktop users.  I created the security group Xen Apps with all the users who need access to Xen App server.  I added the Xen apps group to Remote Desktop on the Xen App server.  I tried to log in as another user and was able to.  Did  I miss something.  Here are some snap shots. User generated image
You have to remove "Authenticated Users" since almost all users are a member of this windows built in group.
Done should this block any other domain user to login now?
I am still able to login with another user that is not part of the Xen Apps group.  Did I miss something?
Please also check Group Policy:

Start > run
type gpedit.msc
Check value of "Allow log on through Terminal Services"

There should be no more than Administrators and Remote Desktop Users

Remotedesktopverbindung-2011-02-.png
This is what I have. User generated image
Do your users work as administrators?
I actually just created a new user and he is only a domain user.  I was able to login as him.
There seems to be a strange configuration in place. Please check the members of the local "Administrators" group.
ok I will check that.
no they are not in there
Ok, it is also possible to set user access in Terminal Services Configuration. Please check that also: Start > run > tscc.msc


Remotedesktopverbindung-2011-02-.png
I dont have that. This is what I have.

Terminal-Cofig.JPG
In Windows 2008 Server its in role configuration. Sorry for the printscreen in german but i have no english win 2k8 terminal server at the moment.
Remotedesktopverbindung-2011-02-.png
ASKER CERTIFIED SOLUTION
Avatar of maximus7569
maximus7569

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, you can do that. I think you should also add Domain Admins group.
Looks like modifying access in the Xen App console fixed it.
As I was looking to fix this solution, I looked in the Xen App console and looked to where you could secure Xen App by OUs.  I was unable to fix with the assistance that was provided.