Solved

Giving non IT Admin access to Citrix AppCenter (Delivery Services Console) on XenApp 6.5

Posted on 2016-07-27
8
22 Views
Last Modified: 2016-07-28
Client using XenApp 6.5 on Server 2008 R2.

It would like to give a non IT Admin in an outlying office access to the Citrix AppCenter (Delivery Services Console) so they may reset users having issues in that office.

We have followed How to Create Custom Delivery Services Console with Windows Administration Components on XenApp.

However, when the user tries to launch it they get:
1.JPGThis is down to the XenApp User Policy setting in place:
2.JPG
So, I went into that policy setting to enable the snap-in but its not listed. Is it possible to add it into GPO?

Thanks
Mark
0
Comment
Question by:Mark Galvin
  • 4
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41731081
Thomas Koetzing - http://www.thomaskoetzing.de - has a solution at http://discussions.citrix.com/topic/309644-how-to-add-xenapp-appcenter-console-to-the-explicitly-permitted-list-of-snap-ins-in-group-policy/
"Just use the GPO for Windows Settings, Registry in Preferences. Make sure you import the values NOT in the user context. Attached the XML file to simply import into the GPO.

I'm not sure what he means with "import the values NOT in the user context", though, as this targets HKCU; it could be the option "Run in logged-on user's security context (user policy option)" in the item's properties.
The XML below is slightly changed as compared to Thomas's version; it enables the option "Remove this item when it is no longer applied".
You can save it as Whatever.xml, copy the file in Explorer, and paste it into the GP Editor while "User Configuration\Preferences\Windows Settings\Registry" is selected.
Can't test it at the moment, but it should work.
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Citrix AppCenter">
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:44:46" uid="{E865B67D-CFD4-46D3-A0B3-B49A322CBE57}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:43:36" uid="{59475273-F5A8-4014-92E3-FE79548E78EE}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{46BADCE7-337E-4834-9800-3244567688FC}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
</Collection>

Open in new window

0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731110
Hi

I had seen that.

So, where do I import this - as in, for what user? Do I import it into a GPO that affects my domain admin account and will then be able to add the snap-in for Citrix AppCenter to the list of allowed Snap-Ins for my XenApp users?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41731115
No; this creates the same registry entries that the "Allowed SnapIns" policy would create, but using a Registry Preference.
So create a new GPO "Allow Citrix Management" or whatever, and apply it to the users that you want to be able to use the XA console (obviously with a higher priority than the GPO that restricts the SnapIns).
Then import the XML into this GPO as described above.
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731126
Hi

thanks for that. I have:
  1. created a new GPO under the XenApp Servers OU
  2. imported the new reg collection
  3. made the Link Order so that the new GPO is above (i.e. lower link number) the existing GPO (which currently blocks the Snap-Ins)
  4. applied the new GPO to only the user that needs access

Will test tomorrow and advised how that goes.

Thanks
Mark
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733030
OK. User tested and they now get:
3.JPGThen the Discovery process runs and fails and then gives this error:
4.JPG
Thanks
Mark
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733035
That looks like the default "Folder" MMC SnapIn; you should be able to allow that through the regular means.
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733094
Ah, but which one :-)

The only 'Folder' one I can find is 'Folder Redirection'.
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733139
Couldn't find it in the default MMC restriction settings, either, which I found a bit surprising, but the GUID below isn't in the MMC.admx, either.
Try to add another registry entry like the ones before, but this time with this GUID in the key path:
{C96401CC-0E17-11D3-885B-00C04F72C717}
You can search in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns if you're missing other Snap-Ins; there's a REG_SZ value NameString under each GUID you can check.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now