Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TSadmin Questions 2

Status
Not open for further replies.
insureme

insureme

IS-IT--Management
Dec 9, 2008
103
US
I'm currently running a citrix environment with six servers and am the only administrator in the company. i've got a couple of users who will be helping with some of my duties and i need to give them specific rights to do stuff. how can I delegate the ability for specific users to perform the following tasks.

remote control
Log Off
Reset
Send Message

Can this be done without giving the users administrator rights to the citrix servers?
 
Sort by date Sort by votes
In AD you can delegate permissions for the domain.
 
Upvote 0 Downvote
OK, so i can delegate the rights through AD using a security group? How do I do it though. as a side note we are currently running a 2000 Active directory, hopefully jumping to 2008 at the beginning of next year. I looked through the delegation rights and i can't seem to figure out which ones would apply to Terminal Services connections.
 
Upvote 0 Downvote
Yes you can do this without admin rights. I don't know if it can be done through a policy, but it can be done on each server manually.

What you want to do is create a windows group for the users that will have these functions.

Now logon to the server you want to "delegate" these rights to and open up the "Terminal Services Configuration" and open the properties of the rdp connection.

Under the "security" or "permissions" tab you will want to add this new group you just created.

Now click on the advanced button and edit that user group, check the appropriate permissions you wish to delegate.
 
Upvote 0 Downvote
Baddos,

I tried your suggestion but it didn't work. I created a local group named tsadmins, and a domain level group called tsadmin, and I even tried adding my domain logon directly, but the permissions did not change in any of these scenarios. i applied the new security settigns to both the RDP-TCP and ICA-TCP connections. does the server need to be rebooted before these settings will take effect?

 
Upvote 0 Downvote
Shouldn't need a restart, but would certainly need a new session. Make sure they aren't still logged into the server, force a logout if they still are.
 
Upvote 0 Downvote
Yeah, that's what I thought so I made sure I was logged off when I made the changes, but upon logging back in they didn't take. I even gave it about half an hour to make sure they should have taken effect.
 
Upvote 0 Downvote
In the Citrix Access Mgt Console, you can add a new user/group as a Citrix administrator set rights there.
 
Upvote 0 Downvote
Where do you add the group in the management console, and how do you go about setting the rights?
 
Upvote 0 Downvote
In the Access Management Console, there is an "administrators" icon on the left navigation pane (assuming PS 4.x). Click that, then you have the option to add administrators - I would typically add an AD group. Then you can assign specific rights - you can customize it to provide access to the Console itself, then give them the ability to shadow, reset, etc.
 
Upvote 0 Downvote
OK, I just hit myself in the head for you. not sure how I missed that. At any rate I did a quick review of it, and I'll configure and test later this afternoon. Thanks,
 
Upvote 0 Downvote
Still no dice. I've created an AD group called tsadmins, assign the group members, and then put that group in the citrix administrators using the management console. still no rights elevation. so then i followed some of the above posts and put the same group in the TCP-ICA connection under terminal services configuration, and delegated the same session control rights. still no dice. Any other suggestions?

Thanks,
 
Upvote 0 Downvote
that's what I did. I think I've got it figured out though. once these changes are made, they are not effective for users who were logged in when the changes were made. I'll check to make sure this is the case on Monday morning, but it seems to be the trend.
 
Upvote 0 Downvote
Verified. it's working fine now. Thanks for the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shimness
  • Locked
  • Question
Hyper-V Server Build Questions
Replies
6
Views
194
technome
technome
KevCon
  • Locked
  • Question
Questions re: exporting roles/features from 2008 to 2012 new machine 1
Replies
1
Views
109
Mshen
Mshen
skyislandmaggie
  • Locked
  • Question
Two questions about my Windows 2008 network
Replies
1
Views
102
NetworkTek
NetworkTek
Rene1024
  • Locked
  • Question
Group Policy Questions
Replies
3
Views
111
ehenschel
ehenschel
DrB0b
  • Locked
  • Question
Two seemingly easy Housekeeping questions in Server 08
Replies
2
Views
112
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top