Solved

Giving non IT Admin access to Citrix AppCenter (Delivery Services Console) on XenApp 6.5

Posted on 2016-07-27
8
45 Views
Last Modified: 2016-07-28
Client using XenApp 6.5 on Server 2008 R2.

It would like to give a non IT Admin in an outlying office access to the Citrix AppCenter (Delivery Services Console) so they may reset users having issues in that office.

We have followed How to Create Custom Delivery Services Console with Windows Administration Components on XenApp.

However, when the user tries to launch it they get:
1.JPGThis is down to the XenApp User Policy setting in place:
2.JPG
So, I went into that policy setting to enable the snap-in but its not listed. Is it possible to add it into GPO?

Thanks
Mark
0
Comment
Question by:Mark Galvin
  • 4
  • 4
8 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 41731081
Thomas Koetzing - http://www.thomaskoetzing.de - has a solution at http://discussions.citrix.com/topic/309644-how-to-add-xenapp-appcenter-console-to-the-explicitly-permitted-list-of-snap-ins-in-group-policy/
"Just use the GPO for Windows Settings, Registry in Preferences. Make sure you import the values NOT in the user context. Attached the XML file to simply import into the GPO.

I'm not sure what he means with "import the values NOT in the user context", though, as this targets HKCU; it could be the option "Run in logged-on user's security context (user policy option)" in the item's properties.
The XML below is slightly changed as compared to Thomas's version; it enables the option "Remove this item when it is no longer applied".
You can save it as Whatever.xml, copy the file in Explorer, and paste it into the GP Editor while "User Configuration\Preferences\Windows Settings\Registry" is selected.
Can't test it at the moment, but it should work.
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Citrix AppCenter">
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:44:46" uid="{E865B67D-CFD4-46D3-A0B3-B49A322CBE57}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
	<Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Restrict_Run" status="Restrict_Run" image="11" changed="2016-07-27 11:43:36" uid="{59475273-F5A8-4014-92E3-FE79548E78EE}" removePolicy="1" bypassErrors="1">
		<Properties action="R" displayDecimal="0" default="0" hive="HKEY_CURRENT_USER" key="Software\Policies\Microsoft\MMC\{46BADCE7-337E-4834-9800-3244567688FC}" name="Restrict_Run" type="REG_DWORD" value="00000000" />
	</Registry>
</Collection>

Open in new window

0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731110
Hi

I had seen that.

So, where do I import this - as in, for what user? Do I import it into a GPO that affects my domain admin account and will then be able to add the snap-in for Citrix AppCenter to the list of allowed Snap-Ins for my XenApp users?
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41731115
No; this creates the same registry entries that the "Allowed SnapIns" policy would create, but using a Registry Preference.
So create a new GPO "Allow Citrix Management" or whatever, and apply it to the users that you want to be able to use the XA console (obviously with a higher priority than the GPO that restricts the SnapIns).
Then import the XML into this GPO as described above.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 13

Author Comment

by:Mark Galvin
ID: 41731126
Hi

thanks for that. I have:
  1. created a new GPO under the XenApp Servers OU
  2. imported the new reg collection
  3. made the Link Order so that the new GPO is above (i.e. lower link number) the existing GPO (which currently blocks the Snap-Ins)
  4. applied the new GPO to only the user that needs access

Will test tomorrow and advised how that goes.

Thanks
Mark
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733030
OK. User tested and they now get:
3.JPGThen the Discovery process runs and fails and then gives this error:
4.JPG
Thanks
Mark
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733035
That looks like the default "Folder" MMC SnapIn; you should be able to allow that through the regular means.
0
 
LVL 13

Author Comment

by:Mark Galvin
ID: 41733094
Ah, but which one :-)

The only 'Folder' one I can find is 'Folder Redirection'.
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 41733139
Couldn't find it in the default MMC restriction settings, either, which I found a bit surprising, but the GUID below isn't in the MMC.admx, either.
Try to add another registry entry like the ones before, but this time with this GUID in the key path:
{C96401CC-0E17-11D3-885B-00C04F72C717}
You can search in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MMC\SnapIns if you're missing other Snap-Ins; there's a REG_SZ value NameString under each GUID you can check.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question