Greetings

I am a consultant with a client that has a windows 2000
domain and we have a citrix server. that citrix is
supported by a different company and we would like to
restrict their access to the citrix server withoud
restricting them there. so they must be local admin. how
do we do that if the citrix is taking the users from the
domain and has no local admin accounts?
right now they are domain admin and that has to stop
cause they make changes to our domain servers that
interfere with our users.

please advise.

thank for any help

bijvoorbaat dank.

Peter

Am I correct in assuming that the Citrix server is also a Domain
Controller in the W2K domain? If so, that's the core of your
problem.
A Terminal Server (and thereby also a Citrix server) should never
be a DC, because of security and performance reasons.

The only sensible thing to do is to demote your Citrix server and
make it a member server in the domain. Then you can change the
other consultants domain accounts into normal domain user
accounts, and make them member of the local Administrators group
on the Citrix member server.

If you do this, you will have to make sure that the Terminal
Server Licensing Service runs on a Domain Controller. If it
currently runs on the Citrix server, you will have to uninstall
the LS from the Citrix server, install it on a DC, activate it,
and then phone the Clearinghouse to get your TS CALs re-issued.

Further details:

Microsofts Terminal Services FAQ
http://www.microsoft.com/windowsserv.../centers/termi
nal/terminal_faq.mspx

Met vriendelijke groeten,

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

(E-Mail Removed) (Peter) wrote on 22 sep 2004:

> Greetings
>
> I am a consultant with a client that has a windows 2000
> domain and we have a citrix server. that citrix is
> supported by a different company and we would like to
> restrict their access to the citrix server withoud
> restricting them there. so they must be local admin. how
> do we do that if the citrix is taking the users from the
> domain and has no local admin accounts?
> right now they are domain admin and that has to stop
> cause they make changes to our domain servers that
> interfere with our users.
>
> please advise.
>
> thank for any help
>
> bijvoorbaat dank.
>
> Peter

IF they are using TS2000 they should be able to use the registry fix
outlined in :

239107 Establishing Preferred Windows 2000 Terminal Services License Server
http://support.microsoft.com/?id=239107

to avoid having to get the cals re-issued.


a-(E-Mail Removed)

This posting is provided "AS IS"
with no warranties, and confers no rights
--------------------
| Subject: Re: citrix in the Domain
| From: "Vera Noest [MVP]" <(E-Mail Removed)>
| References: <(E-Mail Removed)>
| Message-ID: <Xns956CDEC25E2E8veranoesthemutforsse@207.46.248.16>
| User-Agent: Xnews/5.04.25
| Newsgroups:
microsoft.public.win2000.termserv.clients,microsoft.public.win2000.termserv.
apps
| Date: Wed, 22 Sep 2004 12:53:52 -0700
| NNTP-Posting-Host: md4690a3c.utfors.se 212.105.10.60
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.termserv.apps:14310
microsoft.public.win2000.termserv.clients:18977
| X-Tomcat-NG: microsoft.public.win2000.termserv.apps
|
| Am I correct in assuming that the Citrix server is also a Domain
| Controller in the W2K domain? If so, that's the core of your
| problem.
| A Terminal Server (and thereby also a Citrix server) should never
| be a DC, because of security and performance reasons.
|
| The only sensible thing to do is to demote your Citrix server and
| make it a member server in the domain. Then you can change the
| other consultants domain accounts into normal domain user
| accounts, and make them member of the local Administrators group
| on the Citrix member server.
|
| If you do this, you will have to make sure that the Terminal
| Server Licensing Service runs on a Domain Controller. If it
| currently runs on the Citrix server, you will have to uninstall
| the LS from the Citrix server, install it on a DC, activate it,
| and then phone the Clearinghouse to get your TS CALs re-issued.
|
| Further details:
|
| Microsofts Terminal Services FAQ
| http://www.microsoft.com/windowsserv.../centers/termi
| nal/terminal_faq.mspx
|
| Met vriendelijke groeten,
|
| --
| Vera Noest
| MCSE, CCEA, Microsoft MVP - Terminal Server
| http://hem.fyristorg.com/vera/IT
| --- please respond in newsgroup, NOT by private email ---
|
| (E-Mail Removed) (Peter) wrote on 22 sep 2004:
|
| > Greetings
| >
| > I am a consultant with a client that has a windows 2000
| > domain and we have a citrix server. that citrix is
| > supported by a different company and we would like to
| > restrict their access to the citrix server withoud
| > restricting them there. so they must be local admin. how
| > do we do that if the citrix is taking the users from the
| > domain and has no local admin accounts?
| > right now they are domain admin and that has to stop
| > cause they make changes to our domain servers that
| > interfere with our users.
| >
| > please advise.
| >
| > thank for any help
| >
| > bijvoorbaat dank.
| >
| > Peter
|

Vera thank you for your help.
we have eviewed your answer and came to the conclusion that again you
show great knowlidge and we are glad that you are around to help other
people like us. This is not the first time we look to a newsgroup for
a answer and almost every time we do that its your name that pops up
and giving the answer that puts us in the right direction. so thank
you again




"Vera Noest [MVP]" <(E-Mail Removed)> wrote in message news:<Xns956CDEC25E2E8veranoesthemutforsse@207.46.248.16>...
> Am I correct in assuming that the Citrix server is also a Domain
> Controller in the W2K domain? If so, that's the core of your
> problem.
> A Terminal Server (and thereby also a Citrix server) should never
> be a DC, because of security and performance reasons.
>
> The only sensible thing to do is to demote your Citrix server and
> make it a member server in the domain. Then you can change the
> other consultants domain accounts into normal domain user
> accounts, and make them member of the local Administrators group
> on the Citrix member server.
>
> If you do this, you will have to make sure that the Terminal
> Server Licensing Service runs on a Domain Controller. If it
> currently runs on the Citrix server, you will have to uninstall
> the LS from the Citrix server, install it on a DC, activate it,
> and then phone the Clearinghouse to get your TS CALs re-issued.
>
> Further details:
>
> Microsofts Terminal Services FAQ
> http://www.microsoft.com/windowsserv.../centers/termi
> nal/terminal_faq.mspx
>
> Met vriendelijke groeten,
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> (E-Mail Removed) (Peter) wrote on 22 sep 2004:
>
> > Greetings
> >
> > I am a consultant with a client that has a windows 2000
> > domain and we have a citrix server. that citrix is
> > supported by a different company and we would like to
> > restrict their access to the citrix server withoud
> > restricting them there. so they must be local admin. how
> > do we do that if the citrix is taking the users from the
> > domain and has no local admin accounts?
> > right now they are domain admin and that has to stop
> > cause they make changes to our domain servers that
> > interfere with our users.
> >
> > please advise.
> >
> > thank for any help
> >
> > bijvoorbaat dank.
> >
> > Peter

Are you 100% sure about this?
The moment the DC (which holds the TS Licensing Services) is
demoted to be a member server in the domain, it will refuse to
start the TS Licensing Service and generate the following Events:

Event ID 29
Terminal Services Licensing can only be run on Domain Controllers
or Server in a Workgroup.

Event ID 7024
The Terminal Services Licensing service terminated with service-
specific error 29.

In an all-W2K domain, there is no way around this requirement,
other than by a non-documented hack, which is meant for
troubleshooting purposes only and which could well stop working
with a future update.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

a-(E-Mail Removed) (Kevin Bowersock) wrote on 26 sep
2004 in microsoft.public.win2000.termserv.apps:

> IF they are using TS2000 they should be able to use the registry
> fix outlined in :
>
> 239107 Establishing Preferred Windows 2000 Terminal Services
> License Server http://support.microsoft.com/?id=239107
>
> to avoid having to get the cals re-issued.
>
>
> a-(E-Mail Removed)
>
> This posting is provided "AS IS"
> with no warranties, and confers no rights
> --------------------
>| Subject: Re: citrix in the Domain
>| From: "Vera Noest [MVP]" <(E-Mail Removed)>
>|
>| Am I correct in assuming that the Citrix server is also a
>| Domain Controller in the W2K domain? If so, that's the core of
>| your problem.
>| A Terminal Server (and thereby also a Citrix server) should
>| never be a DC, because of security and performance reasons.
>|
>| The only sensible thing to do is to demote your Citrix server
>| and make it a member server in the domain. Then you can change
>| the other consultants domain accounts into normal domain user
>| accounts, and make them member of the local Administrators
>| group on the Citrix member server.
>|
>| If you do this, you will have to make sure that the Terminal
>| Server Licensing Service runs on a Domain Controller. If it
>| currently runs on the Citrix server, you will have to uninstall
>| the LS from the Citrix server, install it on a DC, activate it,
>| and then phone the Clearinghouse to get your TS CALs re-issued.
>|
>| Further details:
>|
>| Microsofts Terminal Services FAQ
>|
http://www.microsoft.com/windowsserv...ty/centers/ter
>| mi nal/terminal_faq.mspx
>|
>| Met vriendelijke groeten,
>|
>| --
>| Vera Noest
>| MCSE, CCEA, Microsoft MVP - Terminal Server
>| http://hem.fyristorg.com/vera/IT
>| --- please respond in newsgroup, NOT by private email ---
>|
>| (E-Mail Removed) (Peter) wrote on 22 sep 2004:
>|
>| > Greetings
>| >
>| > I am a consultant with a client that has a windows 2000
>| > domain and we have a citrix server. that citrix is
>| > supported by a different company and we would like to
>| > restrict their access to the citrix server withoud
>| > restricting them there. so they must be local admin. how
>| > do we do that if the citrix is taking the users from the
>| > domain and has no local admin accounts?
>| > right now they are domain admin and that has to stop
>| > cause they make changes to our domain servers that
>| > interfere with our users.
>| >
>| > please advise.
>| >
>| > thank for any help
>| >
>| > bijvoorbaat dank.
>| >
>| > Peter

Thanks, Peter! I'm glad to be of help.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

(E-Mail Removed) (Peter) wrote on 27 sep 2004 in
microsoft.public.win2000.termserv.apps:

> Vera thank you for your help.
> we have eviewed your answer and came to the conclusion that
> again you show great knowlidge and we are glad that you are
> around to help other people like us. This is not the first time
> we look to a newsgroup for a answer and almost every time we do
> that its your name that pops up and giving the answer that puts
> us in the right direction. so thank you again
>
>
> "Vera Noest [MVP]" <(E-Mail Removed)> wrote
> in message
> news:<Xns956CDEC25E2E8veranoesthemutforsse@207.46.248.16>...
>> Am I correct in assuming that the Citrix server is also a
>> Domain Controller in the W2K domain? If so, that's the core of
>> your problem.
>> A Terminal Server (and thereby also a Citrix server) should
>> never be a DC, because of security and performance reasons.
>>
>> The only sensible thing to do is to demote your Citrix server
>> and make it a member server in the domain. Then you can change
>> the other consultants domain accounts into normal domain user
>> accounts, and make them member of the local Administrators
>> group on the Citrix member server.
>>
>> If you do this, you will have to make sure that the Terminal
>> Server Licensing Service runs on a Domain Controller. If it
>> currently runs on the Citrix server, you will have to uninstall
>> the LS from the Citrix server, install it on a DC, activate it,
>> and then phone the Clearinghouse to get your TS CALs re-issued.
>>
>> Further details:
>>
>> Microsofts Terminal Services FAQ
>>
http://www.microsoft.com/windowsserv...ty/centers/ter
>> mi nal/terminal_faq.mspx
>>
>> Met vriendelijke groeten,
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> (E-Mail Removed) (Peter) wrote on 22 sep 2004:
>>
>> > Greetings
>> >
>> > I am a consultant with a client that has a windows 2000
>> > domain and we have a citrix server. that citrix is
>> > supported by a different company and we would like to
>> > restrict their access to the citrix server withoud
>> > restricting them there. so they must be local admin. how
>> > do we do that if the citrix is taking the users from the
>> > domain and has no local admin accounts?
>> > right now they are domain admin and that has to stop
>> > cause they make changes to our domain servers that
>> > interfere with our users.
>> >
>> > please advise.
>> >
>> > thank for any help
>> >
>> > bijvoorbaat dank.
>> >
>> > Peter