Failure in App-V Client Configuration on Virtual Delivery Agent (VDA) if CtxAppVCOMAdmin is not a member of Administrator’s Group.

Requirements

Must have domain administrative privileges with enough permission to create or modify the GPO with the domain and/or the Organizational Unit (OU) used by VDA machines.

Background

The personalization components delivered for App-V integration are broadly divided into two categories: VDA and Deliverables for Desktop Studio.

One of the App-V Integration components on VDA must be configured with a local account in the Administrators group. This account requires all the privileges to perform App-V client configuration operations. The installation process of Jasper VDA Metainstaller automatically creates and configures the account CtxAppVCOMAdmin with random password and adds them to the Administrators group.

However, it is possible to configure a GPO for a domain and/or an OU with the Restricted Groups feature such that this account succeeds to install. However, it fails to start after a Virtual Machine joins the Domain or the OU. It is a common practice to add Administrators to the Restricted Groups, Member Of list, which removes all users (except Administrator) from the local Administrators group every time the policy is applied. In such a case, App-V client configuration fails.

In such a scenario, it is observed that App-V client is not configured with the correct Publishing Server details and the CtxAppVCOMAdmin user is not a part of the administrators group. The issue is that the VDA system restarts after installation. Once restarted, the GPO for the OU is applied and the CtxAppVCOMAdmin user is removed from the Administrators group.

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

The following approach allows the Restricted Groups GPO and App-V Integration on VDA to work together:

Add the user account to an exception list in the Restricted Groups.

1. Edit the GPO for the OU you wish to use with VDA and browse to Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

2. Add group Administrators.

3. Select Members.

4. Add CtxAppVCOMAdmin user.

5. Add any other users you want in the local Administrators group.

6. Click OK.

The CtxAppVCOMAdmin user can now retain the required local administrator privileges.

---

Problem Cause

The component running in this user context fails to configure the App-V client because of insufficient permissions.

This article provides resolution to the 'App-V Server Sync Failed’ error when CtxAppVCOMAdmin is not a member of the Administrators Group on the VDA/worker machine.