Citrix App-V Integration Minimum Permission Requirements
 
Background:
 
There are two services that handle much of Citrix’s App-V integration tasks. 

1.) The Citrix Application Library Service running on the Delivery Controller is responsible for importing App-V packages into Studio.
2.) The Citrix Desktop Service (specifically, the App-V broker agent plug-in that is part of this service) running on the VDA that is responsible for copying the App-V packages from the package share location to the local c:\windows\temp\CitrixAppVPkgCache folder.
 
Both of these services run under the context of Microsoft’s NetworkService account. 
 
When the NetworkService account on a machine makes a request for a network resource, it does not identify itself as the NetworkService account.  It instead presents the access token that contains the SIDs of the following three accounts:
 
     1.) The computer account on which the service is running on
     2.) The Authenticated Users group
     3.) The Everyone group
 
Therefore, you can reference any one of the above accounts when assigning permissions to the NetworkService running on a remote machine.
 
More information on Microsoft’s NetworkService account can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684272(v=vs.85).aspx
 
 
Permission Requirements:
 
In Dual Admin Mode implementations, the following permissions are required:
 
1.) The following accounts require at least effective READ share and NTFS permissions on the App-V package shared folder: 

1. Any one of the following accounts: The computer account of the Delivery Controller (or the Authenticated Users or Everyone group). 
2. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group).
3. The user account(s) who will be launching the application.  

     Assigning READ permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.
 
In Single Admin Mode implementations, the following permissions are required:
 
1.) The following accounts require at least effective READ share and NTFS permissions on the App-V package shared folder: 

1. Any one of the following accounts: The computer account of the Delivery Controller (or the Authenticated Users or Everyone group). 
2. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group). 
3. The user account(s) who will be launching the application.  

     Assigning READ permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.

2.) The following accounts require at least effective READ and WRITE NTFS permissions on the c:\windows\temp\citrixappvpkgcache folder on the VDA: 

1. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group). 
2. The user account(s) who will be launching the application. 

     Assigning READ/WRITE permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.
   
     NOTE: In versions 7.14 and newer, the citrixAppvPackageCache folder is no longer created/used.
 

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.