?
Solved

Giving non IT Admin access to Citrix AppCenter (Delivery Services Console) on XenApp 6.5

Posted on 2016-07-27
8
Medium Priority
?
90 Views
Last Modified: 2016-07-28
Client using XenApp 6.5 on Server 2008 R2.

It would like to give a non IT Admin in an outlying office access to the Citrix AppCenter (Delivery Services Console) so they may reset users having issues in that office.

We have followed How to Create Custom Delivery Services Console with Windows Administration Components on XenApp.

However, when the user tries to launch it they get:
1.JPGThis is down to the XenApp User Policy setting in place:
2.JPG
So, I went into that policy setting to enable the snap-in but its not listed. Is it possible to add it into GPO?

Thanks
Mark
0
Comment
Question by:Mark Galvin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 41731081
Thomas Koetzing - http://www.thomaskoetzing.de - has a solution at http://discussions.citrix.com/topic/309644-how-to-add-xenapp-appcenter-console-to-the-explicitly-permitted-list-of-snap-ins-in-group-policy/
"Just use the GPO for Windows Settings, Registry in Preferences. Make sure you import the values NOT in the user context. Attached the XML file to simply import into the GPO.

I'm not sure what he means with "import the values NOT in the user context", though, as this targets HKCU; it could be the option "Run in logged-on user's security context (user policy option)" in the item's properties.
The XML below is slightly changed as compared to Thomas's version; it enables the option "Remove this item when it is no longer applied".
You can save it as Whatever.xml, copy the file in Explorer, and paste it into the GP Editor while "User Configuration\Preferences\Windows Settings\Registry" is selected.
Can't test it at the moment, but it should work.
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Citrix AppCenter">
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:44:46" uid="{E865B67D-CFD4-46D3-A0B3-B49A322CBE57}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:43:36" uid="{59475273-F5A8-4014-92E3-FE79548E78EE}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{46BADCE7-337E-4834-9800-3244567688FC}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
</Collection>

Open in new window

0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731110
Hi

I had seen that.

So, where do I import this - as in, for what user? Do I import it into a GPO that affects my domain admin account and will then be able to add the snap-in for Citrix AppCenter to the list of allowed Snap-Ins for my XenApp users?
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 2000 total points
ID: 41731115
No; this creates the same registry entries that the "Allowed SnapIns" policy would create, but using a Registry Preference.
So create a new GPO "Allow Citrix Management" or whatever, and apply it to the users that you want to be able to use the XA console (obviously with a higher priority than the GPO that restricts the SnapIns).
Then import the XML into this GPO as described above.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731126
Hi

thanks for that. I have:
  1. created a new GPO under the XenApp Servers OU
  2. imported the new reg collection
  3. made the Link Order so that the new GPO is above (i.e. lower link number) the existing GPO (which currently blocks the Snap-Ins)
  4. applied the new GPO to only the user that needs access

Will test tomorrow and advised how that goes.

Thanks
Mark
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733030
OK. User tested and they now get:
3.JPGThen the Discovery process runs and fails and then gives this error:
4.JPG
Thanks
Mark
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 2000 total points
ID: 41733035
That looks like the default "Folder" MMC SnapIn; you should be able to allow that through the regular means.
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733094
Ah, but which one :-)

The only 'Folder' one I can find is 'Folder Redirection'.
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 2000 total points
ID: 41733139
Couldn't find it in the default MMC restriction settings, either, which I found a bit surprising, but the GUID below isn't in the MMC.admx, either.
Try to add another registry entry like the ones before, but this time with this GUID in the key path:
{C96401CC-0E17-11D3-885B-00C04F72C717}
You can search in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns if you're missing other Snap-Ins; there's a REG_SZ value NameString under each GUID you can check.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question