• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 129
  • Last Modified:

Giving non IT Admin access to Citrix AppCenter (Delivery Services Console) on XenApp 6.5

Client using XenApp 6.5 on Server 2008 R2.

It would like to give a non IT Admin in an outlying office access to the Citrix AppCenter (Delivery Services Console) so they may reset users having issues in that office.

We have followed How to Create Custom Delivery Services Console with Windows Administration Components on XenApp.

However, when the user tries to launch it they get:
1.JPGThis is down to the XenApp User Policy setting in place:
2.JPG
So, I went into that policy setting to enable the snap-in but its not listed. Is it possible to add it into GPO?

Thanks
Mark
0
Mark Galvin
Asked:
Mark Galvin
  • 4
  • 4
4 Solutions
 
oBdACommented:
Thomas Koetzing - http://www.thomaskoetzing.de - has a solution at http://discussions.citrix.com/topic/309644-how-to-add-xenapp-appcenter-console-to-the-explicitly-permitted-list-of-snap-ins-in-group-policy/
"Just use the GPO for Windows Settings, Registry in Preferences. Make sure you import the values NOT in the user context. Attached the XML file to simply import into the GPO.

I'm not sure what he means with "import the values NOT in the user context", though, as this targets HKCU; it could be the option "Run in logged-on user's security context (user policy option)" in the item's properties.
The XML below is slightly changed as compared to Thomas's version; it enables the option "Remove this item when it is no longer applied".
You can save it as Whatever.xml, copy the file in Explorer, and paste it into the GP Editor while "User Configuration\Preferences\Windows Settings\Registry" is selected.
Can't test it at the moment, but it should work.
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Citrix AppCenter">
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:44:46" uid="{E865B67D-CFD4-46D3-A0B3-B49A322CBE57}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:43:36" uid="{59475273-F5A8-4014-92E3-FE79548E78EE}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{46BADCE7-337E-4834-9800-3244567688FC}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
</Collection>

Open in new window

0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi

I had seen that.

So, where do I import this - as in, for what user? Do I import it into a GPO that affects my domain admin account and will then be able to add the snap-in for Citrix AppCenter to the list of allowed Snap-Ins for my XenApp users?
0
 
oBdACommented:
No; this creates the same registry entries that the "Allowed SnapIns" policy would create, but using a Registry Preference.
So create a new GPO "Allow Citrix Management" or whatever, and apply it to the users that you want to be able to use the XA console (obviously with a higher priority than the GPO that restricts the SnapIns).
Then import the XML into this GPO as described above.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi

thanks for that. I have:
  1. created a new GPO under the XenApp Servers OU
  2. imported the new reg collection
  3. made the Link Order so that the new GPO is above (i.e. lower link number) the existing GPO (which currently blocks the Snap-Ins)
  4. applied the new GPO to only the user that needs access

Will test tomorrow and advised how that goes.

Thanks
Mark
0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
OK. User tested and they now get:
3.JPGThen the Discovery process runs and fails and then gives this error:
4.JPG
Thanks
Mark
0
 
oBdACommented:
That looks like the default "Folder" MMC SnapIn; you should be able to allow that through the regular means.
0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Ah, but which one :-)

The only 'Folder' one I can find is 'Folder Redirection'.
0
 
oBdACommented:
Couldn't find it in the default MMC restriction settings, either, which I found a bit surprising, but the GUID below isn't in the MMC.admx, either.
Try to add another registry entry like the ones before, but this time with this GUID in the key path:
{C96401CC-0E17-11D3-885B-00C04F72C717}
You can search in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns if you're missing other Snap-Ins; there's a REG_SZ value NameString under each GUID you can check.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now