How to adjust the accounts which will be permitted to configure a FAS server.

By default, you need to be logged on as (or provide credentials for) a user who is a member of the “Administrators” group of the FAS server you wish to configure.

However, you can also adjust the accounts which will be permitted to configure a FAS server via registry.

To do this:

On the FAS server, run regedit as a local administrator.

Navigate to HKEY_USERSS-1-5-20SoftwareCitrixAuthenticationUserCredentialServices – you should find there is already a value named “Version” here.

Create a new string value named “AdministrationACL”.

Provide a value which is the SDDL string for the users or groups you to grant permission to.

The SDDL string should have format:

O:BAG:DUD:P(A;OICI;SW;;;<SID-1>)..(A;OICI;SW;;;<SID-n>)

For example, to grant permission to configure the FAS server to any member of the group with SID “S-1-5-21-1018754310-151723792-3234634592-1628” use the following string:

O:BAG:DUD:P(A;OICI;SW;;;S-1-5-21-1018754310-151723792-3234634592-1628)

Related:

  • No Related Posts

Leave a Reply