Solved

Giving non IT Admin access to Citrix AppCenter (Delivery Services Console) on XenApp 6.5

Posted on 2016-07-27
8
38 Views
Last Modified: 2016-07-28
Client using XenApp 6.5 on Server 2008 R2.

It would like to give a non IT Admin in an outlying office access to the Citrix AppCenter (Delivery Services Console) so they may reset users having issues in that office.

We have followed How to Create Custom Delivery Services Console with Windows Administration Components on XenApp.

However, when the user tries to launch it they get:
1.JPGThis is down to the XenApp User Policy setting in place:
2.JPG
So, I went into that policy setting to enable the snap-in but its not listed. Is it possible to add it into GPO?

Thanks
Mark
0
Comment
Question by:Mark Galvin
  • 4
  • 4
8 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41731081
Thomas Koetzing - http://www.thomaskoetzing.de - has a solution at http://discussions.citrix.com/topic/309644-how-to-add-xenapp-appcenter-console-to-the-explicitly-permitted-list-of-snap-ins-in-group-policy/
"Just use the GPO for Windows Settings, Registry in Preferences. Make sure you import the values NOT in the user context. Attached the XML file to simply import into the GPO.

I'm not sure what he means with "import the values NOT in the user context", though, as this targets HKCU; it could be the option "Run in logged-on user's security context (user policy option)" in the item's properties.
The XML below is slightly changed as compared to Thomas's version; it enables the option "Remove this item when it is no longer applied".
You can save it as Whatever.xml, copy the file in Explorer, and paste it into the GP Editor while "User Configuration\Preferences\Windows Settings\Registry" is selected.
Can't test it at the moment, but it should work.
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Citrix AppCenter">
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:44:46" uid="{E865B67D-CFD4-46D3-A0B3-B49A322CBE57}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:43:36" uid="{59475273-F5A8-4014-92E3-FE79548E78EE}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{46BADCE7-337E-4834-9800-3244567688FC}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
</Collection>

Open in new window

0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731110
Hi

I had seen that.

So, where do I import this - as in, for what user? Do I import it into a GPO that affects my domain admin account and will then be able to add the snap-in for Citrix AppCenter to the list of allowed Snap-Ins for my XenApp users?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41731115
No; this creates the same registry entries that the "Allowed SnapIns" policy would create, but using a Registry Preference.
So create a new GPO "Allow Citrix Management" or whatever, and apply it to the users that you want to be able to use the XA console (obviously with a higher priority than the GPO that restricts the SnapIns).
Then import the XML into this GPO as described above.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731126
Hi

thanks for that. I have:
  1. created a new GPO under the XenApp Servers OU
  2. imported the new reg collection
  3. made the Link Order so that the new GPO is above (i.e. lower link number) the existing GPO (which currently blocks the Snap-Ins)
  4. applied the new GPO to only the user that needs access

Will test tomorrow and advised how that goes.

Thanks
Mark
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733030
OK. User tested and they now get:
3.JPGThen the Discovery process runs and fails and then gives this error:
4.JPG
Thanks
Mark
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733035
That looks like the default "Folder" MMC SnapIn; you should be able to allow that through the regular means.
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733094
Ah, but which one :-)

The only 'Folder' one I can find is 'Folder Redirection'.
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733139
Couldn't find it in the default MMC restriction settings, either, which I found a bit surprising, but the GUID below isn't in the MMC.admx, either.
Try to add another registry entry like the ones before, but this time with this GUID in the key path:
{C96401CC-0E17-11D3-885B-00C04F72C717}
You can search in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns if you're missing other Snap-Ins; there's a REG_SZ value NameString under each GUID you can check.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now