When trying to connect to a XenDesktop 7.x and StoreFront 2.x based environment through NetScaler from an external Windows computer you could receive the following error upon finishing the Citrix Receiver initial wizard: Select an account to continue:



In case this error occurs and you’ve an Exchange Server in your environment check your Exchange Server’s Application Event Log for any errors and/or warnings regarding Exchange ActiveSync (EAS), e.g. Source: MSExchange ActiveSync, Event ID 1053:


This is a common Microsoft related issue regarding AdminSDHolder, Protected Groups, and thus a broken or interrupted Active Directory object permission inheritance.

Therefore identify the affected user and verify whether the user’s corresponding AD account is member of a Protected Group:

  • Account Operators
  • Administrators
  • Backup Operators
  • Domain Admins
  • Domain Controllers
  • Enterprise Admins
  • Print Operators
  • Read-Only Domain Controllers
  • Replicator
  • Schema Admins
  • Server Operators

This all turns down to a single AD object’s attribute and thus being protected by AdminSDHolder: adminCount.  You can easily identify all protected users and groups with a simple Powershell command executed directly on your Domain Controller:

Get-ADUser -LDAPFilter “(objectcategory=person)(samaccountname=*)(admincount=1)”

Get-ADGroup -LDAPFilter “(objectcategory=group)(admincount=1)”

Note: In order for these commands to work the corresponding Active Directory Modules have to be installed prior of launching the Powershell.

adminCount=1 equals to an protected object, whereas adminCount=1 equals to an unprotected object. Simply enable Advanced Features in your Active Directory Users and Computers MMC (dsa.msc), browse to an affected user and/or group, open its Properties, and select the Attribute Editor tab:


Look for adminCount and verify its value:


You could now simply change its value by setting it to 0 (Zero), check and reset the object’s security permissions on the Security tab’s Advanced settings, and then try connecting with Citrix Receiver once more.

Further reading:

Citrix Receiver 3.x and 4.x – Select an account to continue
Tagged on:                 

Leave a Reply