Restrict one user from accessing Published Applications and Desktops
Article ID: CTX232069
Updated On:
Description
If we have to restrict specific user from accessing the application and desktops but user cannot be removed from the AD Group and group is added to Delivery Group
Environment
The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.
Resolution
Open Powershell on the Delivery Controller
Run the following powershell commands:
asnp Citrix*
Get-BrokerAccessPolicyRule -> the output of this command will show the Access Policy rules on Delivery Group basis.
For example: Running the above command on a delivery Group "ABC" would show rules for ABC_Direct and ABC_AG. If a User "XYZ" added in the AD Group and would like to restrict access to applications and desktops for this user, first enable the rule "ExcludedUserFilterEnabled" and then add the user to ExcludedUsers.
So below are the commands which to run:
Set-BrokerAccessPolicyRule -Name "ABC_AG" -ExcludedUserFilterEnabled $true
Set-BrokerAccessPolicyRule -Name "ABC_Direct" -ExcludedUserFilterEnabled $true
Now add the user to ExcludedUsers (where DIVY is the domain):
Set-BrokerAccessPolicyRule -Name "ABC_AG" -ExcludedUsers "DIVY\XYZ"
Set-BrokerAccessPolicyRule -Name "ABC_Direct" -ExcludedUsers "DIVY\XYZ"
Now when the user ‘XYZ’ logs into storefront website, no applications and desktops would be enumerated. This is Delivery Group specific.
Run the following powershell commands:
asnp Citrix*
Get-BrokerAccessPolicyRule -> the output of this command will show the Access Policy rules on Delivery Group basis.
For example: Running the above command on a delivery Group "ABC" would show rules for ABC_Direct and ABC_AG. If a User "XYZ" added in the AD Group and would like to restrict access to applications and desktops for this user, first enable the rule "ExcludedUserFilterEnabled" and then add the user to ExcludedUsers.
So below are the commands which to run:
Set-BrokerAccessPolicyRule -Name "ABC_AG" -ExcludedUserFilterEnabled $true
Set-BrokerAccessPolicyRule -Name "ABC_Direct" -ExcludedUserFilterEnabled $true
Now add the user to ExcludedUsers (where DIVY is the domain):
Set-BrokerAccessPolicyRule -Name "ABC_AG" -ExcludedUsers "DIVY\XYZ"
Set-BrokerAccessPolicyRule -Name "ABC_Direct" -ExcludedUsers "DIVY\XYZ"
Now when the user ‘XYZ’ logs into storefront website, no applications and desktops would be enumerated. This is Delivery Group specific.
Problem Cause
ExcludedUserFilterEnabled needs to be enabled and user should be added to ExcludedUsers.
Was this article helpful?
Yes
No
Powered by
