• Delegated Administrators who are added to two scopes where, in one scope they have Reset Profile permission for specific delivery groups (Custom Scope) but in  different scope (Delivery Groups) they do not have reset profile permissions then they are unable to reset profile for even those users who get connected to VDA's of the Delivery Groups(Scope) where they have permission to reset profile.
• Delegated Administrator gets error "You are not authorized to perform this operation".
• In scope if we assign "All" instead of specific delivery groups then the same delegated Administrator is able to reset the User Profile.

Repro Steps

1. Create two domain user groups domain\Group1 and domain\Group2.Create a user CustomAdmin1 who is a part of both the user groups.

2. Add Groups1 one as one Administrator in Director and Group2 as another Administrator in Citrix Director.

Administrator Name: domain\Group1 , Scope: All, Role: Service Desk (Does not have permission to reset profile)

Administrator Name: domain\Group2, Scope: DeliveryGroup1, DeliveryGroup2, Role: Same as Service Desk with the addition of being able to Reset Profiles.

3. Create a Delegated director admin CustomAdmin1 that is part of both the Administrator groups.

4. CustomAdmin1 tries to reset profile for a user logged into "DeliveryGroup1" and gets the error.

5. To resolve the error, the limited scope for "domain\Group2" is changed to "All" instead of few delivery groups and the delegated administrator is able to reset the user profiles.

WORKAROUND

1. Assign a single scope to the Delegated Administrator and assign Reset Profile permission on all the Delivery groups listed in that scope.

OR 

2. While assigning multiple Roles to the Delegated Administrator as a part of different Administrator groups, allow reset profile permission (Role) by assigning "All" scope to the Delegated Administrator.

---

Problem Cause

This is an expected behavior. By Design, in order for reset profile feature to work in Director the Director Administrator should have Reset Profile permission in all the scopes assigned to that administrator.

Example: 

• There a 10 Delivery Groups in the site.
•  
• The Delegated Administrator  domain\Group1 is assigned 5 Delivery Groups under Scope options where the admin role has reset profile permission and and domain\Group2 is assigned 3 Delivery Groups in Scope options where the role does not include reset profile permission.
•  
• The user domain\customeradmin1 has access to total 8 Delivery Groups. So, in Citrix Director, the permission check for reset profile will be done on all 8 groups (not all 10) that are assigned to that user.  When permission is checked for all 8 Delivery groups, 3 of those fail and hence the Delegated administrator gets an error while resetting user profile.

Delegated Administrators who are added to two scopes where in one scope they have Reset Profile permission for specific delivery groups (Custom Scope) but in  different scope (Delivery Groups)they do not have reset profile permissions then they are unable to reset profile for even those users who get connected to VDA's of the Delivery Groups(Scope) where they have permission to reset profile.

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6-long-term-service-release/xad-monitor-article/xad-monitor-director-wrapper/xad-monitor-deleg-admin.html