Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Log on Locally rights question.

Status
Not open for further replies.
rayzze

rayzze

IS-IT--Management
Sep 17, 2002
64
US
I have a Metaframe XP FR2 server farm with 4 servers. Each server hosts different published apps and I want to limit who has rights to log on to these boxes. I have used the local security policy to limit who can log on locally and this works with one exception.

If a user requests a list of published apps he has access to via logging on to the farm or via NFUSE, contacts a server (via TCP/IP + HTTP resolving ICA) that he doesn't have the right to log on locally to, that server will not give him a list of published apps on the other farm servers he does have access to.... In turn if I give that user access to log on locally to the server he doen't need, it will provide a list of apps on the servers he needs.

I get the feeling in order to have pubilshed apps browsing work correctly all users must have some basic right on all of the servers in the farm, but I do not want them to be able to log on anywhere they want... Any Ideas?
 
Sort by date Sort by votes
Here is how I handle it. I create a global Citrix Users group that any and every Citrix user is a member of. I grant that group the logon local right. I then create groups per application and add the users to the respective group. The final step is to disable RDP (or restrict it to just admins if you wish) and check the Run only Published Applications option for the ICA Connection. Thus, rather than trying to restrict log on local rights by user, I control their access to the servers by restricting their access to published applications. The only way around that security setup would be to get physical access to the servers (which opens up a whole other can of worms).
 
Upvote 0 Downvote
No edit on this forum. hmmmm....

I should have stated that I grant the global group the logon local right to every Citrix server. Not sure if that was clear or not.
 
Upvote 0 Downvote
I have been reluctant to do this because I have a few people who directly connect to a server to get a desktop with a specific app. But if I just published those individual desktops and gave those special users rights...

Thanks, that would definitely work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Win7 backup on Win11 Pro box not completing as it had in the past
Replies
2
Views
829
VicM
VicM
DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
712
ntinlin
ntinlin
topdabadawg
  • Locked
  • Question
External USB drive on XenServer
Replies
0
Views
411
topdabadawg
topdabadawg
Hfnet
  • Locked
  • Question
Office 2010 KMS stoppped working on PVS Citrix
Replies
0
Views
337
Hfnet
Hfnet
spi200
  • Locked
  • Question
CSG and RSA secuid question
Replies
0
Views
210
spi200
spi200

Part and Inventory Search

Sponsor

Back
Top