When trying to connect to a XenDesktop 7.x and StoreFront 2.x based environment through NetScaler from an external Windows computer you could receive the following error upon finishing the Citrix Receiver initial wizard: Select an account to continue:
In case this error occurs and you’ve an Exchange Server in your environment check your Exchange Server’s Application Event Log for any errors and/or warnings regarding Exchange ActiveSync (EAS), e.g. Source: MSExchange ActiveSync, Event ID 1053:
This is a common Microsoft related issue regarding AdminSDHolder, Protected Groups, and thus a broken or interrupted Active Directory object permission inheritance.
Therefore identify the affected user and verify whether the user’s corresponding AD account is member of a Protected Group:
- Account Operators
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Print Operators
- Read-Only Domain Controllers
- Schema Admins
- Server Operators
This all turns down to a single AD object’s attribute and thus being protected by AdminSDHolder: adminCount. You can easily identify all protected users and groups with a simple Powershell command executed directly on your Domain Controller:
Get-ADUser -LDAPFilter “(objectcategory=person)(samaccountname=*)(admincount=1)”
Get-ADGroup -LDAPFilter “(objectcategory=group)(admincount=1)”
Note: In order for these commands to work the corresponding Active Directory Modules have to be installed prior of launching the Powershell.
adminCount=1 equals to an protected object, whereas adminCount=1 equals to an unprotected object. Simply enable Advanced Features in your Active Directory Users and Computers MMC (dsa.msc), browse to an affected user and/or group, open its Properties, and select the Attribute Editor tab:
Look for adminCount and verify its value:
You could now simply change its value by setting it to 0 (Zero), check and reset the object’s security permissions on the Security tab’s Advanced settings, and then try connecting with Citrix Receiver once more.
- Of Exchange 2010, Mobile Phones, and the AdminSDHolder or Why Doesn’t My Phone Work Anymore?
- Understanding AdminSDHolder and Protected Groups
- KB817433 – Delegated permissions are not available and inheritance is automatically disabled