Another example where GPO preferences are awesome – Citrix AppCenter Administrative delegation
I granted the helpdesk access to AppCenter via group membership <domain>\citrix_desktop director. However when users launch the application they would get this message:
What this indicates is that the MMC policy snap-in restrictions was happening that are locked down on the XenAppp server. Not everyone has MMC access due to it being a shared desktop and non admins should not have access to certain .msc snap-ins such as Diskmgmt.msc or eventvwr.msc to name a couple.
What we need to do is allow the snap-in features to work for managing XenApp to a certain group of users which we do this via group policy. After some research I found the snap-ip ID’s for Citrix XenApp AppCenter as well as the related snap-ins. They are:
AppCenter Snapin : {00000009-E873-47a9-B9C9-10B2A50327CB}
XenApp Extension : {46BADCE7-337E-4834-9800-3244567688FC}
Citrix Hotfix Inventory Extension : {8E917BCC-05C5-4aeb-8EF7-0842397BB0ED}
Single Sign-On Console : {E93B8960-45DB-4418-84CA-B4364FB9676A}
I open GPO management and now add entries for all ID’s above under:
HKU\ Software\Policies\Microsoft\MMC\{00000009-E873-47a9-B9C9-10B2A50327CB}
In the end it looks like this as here is are the preferences configured in the GPO
I also only target certain groups as I don’t want everyone to have this in their profile
Once the user logged back on and the preferences applied they were able to launch the MMC but there were still underlying permissions within XenApp:
The permissions within XenApp did not allow them to discover items in the farm. So I granted permission in the Farm for access. This group will need Admin access to administer the farm but one can limit what is managed per group or user.