As part of AD assessment warning remediation, the Authenticated Users group was removed from the Pre-Windows 2000 Compatible Access Active Directory group.

After this change, users were unable to access the Citrix Gateway and received the following error:

Citrix StoreFront requires read access to certain user attributes in Active Directory (such as group membership) during the authentication process.

By default, this read access is granted via the Pre-Windows 2000 Compatible Access group through the Authenticated Users membership.

When Authenticated Users was removed from the group as part of AD hardening, StoreFront servers and Citrix users lost the necessary read permissions. This led to authentication failures at the Citrix Gateway.

To restore required permissions while following least privilege practices:

1. Open Active Directory Users and Computers (ADUC).

2. Browse to the Builtin container.

3. Double-click on the Windows Authorization Access Group.

4. On the Members tab, click Add.

5. Add the Citrix users and the StoreFront computer accounts.

6. If you are using Citrix Federated Authentication Service (FAS), add the FAS server accounts as well.

"Can not complete your request" error occurred after changing configuration of  Pre-Windows 2000 Compatible Access