Tuesday, May 7, 2013

Non local administrators are unable to browse and access network shares when logged onto Citrix XenApp 6.5 servers

Environment

Citrix XenApp Server Operating System:  Windows 2008 R2

Citrix XenApp Version: 6.5

Citrix XenApp Hotfix: Rollup 1

Citrix Profile Management Version: 4.1

Problem

You’ve received complaints from various users that when they launch applications published on the Citrix XenApp 6.5 servers, they receive Windows Script Host error prompts similar to the following:

Script:

\\domain.internal\SysVol\domain.internal\Policies\{someGuid}\User\Scripts\Logon\logon.vbs

Line: 16

Char: 1

Error: Permission denied: ‘GetObject’

Code: 800A0046

Source: Microsoft VBScript runtime error

image

To further troubleshoot, you proceed by configuring the XenApp server to allow users to directly remote desktop to the server.  Upon directly logging onto the server with the user’s credentials, the following is displayed:

image

While troubleshooting the issue, you also noticed that you are unable to browse the path:

\\domain.internal

image

Windows cannot access \\domain.internal

You do not have permission to access \\domain.internal. Contact your network administrator to request access.

For more information about permissions, see Windows Help and Support

image

The server also exhibits the same behavior when you browse directly to a server via the name or IP:

clip_image001[4]clip_image001[6]

What’s strange is that you are able to ping other servers:

image

You notice that if you add the user to the local administrators group, the error goes away. 

Solution

While the symptoms described in the following KB:

http://support.citrix.com/article/CTX128255

… did not directly map to the ones described above, I found that the solution was resolved my issue.  The reason why non local administrators were experiencing these symptoms is because of the UsrClass.dat file located in the following directory when the user is logged onto the server:

C:\Users\Default\AppData\Local\Microsoft\Windows

image

You will also notice the same file stored on the file server that stores the user’s profile management folder:

\\someFileserver\profilemanagement\someUsername\UPM_Profile\AppData\Local\Microsoft\Windows

image

The solution as described in the article is to delete this file but note the following:

  1. You may not be able to delete the UsrClass.dat file from C:\Users\Default\AppData\Local\Microsoft\Windows while the user is logged in
  2. Even if you delete the file while the user is logged off, the saved UsrClass.dat will be copied back to the server from the server

To correctly resolve the issue and remove the problematic UsrClass.dat file, first log off as the user to make sure profile management has saved the user’s profile on the file server and no other sessions will overwrite the profile, then go to the user’s profile on the file server and delete UsrClass.dat.  Once this is done, log back onto the server as the user and and ensure the symptoms are gone.

No comments: