During an after hours project, I disabled logons to a few servers in a XenApp 6.5 farm, waited for the users to log off, and thought nothing of it. I then shut the VMs down, completed the maintenance, and powered the VMs back on…only to find that no one was logging on.
As an administrator, I had no issue getting logged on, but users were receiving a “The requested session is not available…” type error message. This immediately led me to permissions, so I checked ‘Allow log on locally’ and ‘Allow logon via terminal services’ – both were set as expected.
Then, I checked the ICA-tcp listener which had the default permissions – with the Remote Desktop Users group assigned – that was it. The ‘Remote Desktop Users’ group on the servers I had just rebooted, and brought out of ‘logon disabled’ mode were completely empty! Checking on another server in the farm, I found that the group had been set to contain only ‘Authenticated Users (S-1-5-11)’.
This immediately led me to use a GPO to get ‘Domain Users’ into ‘Remote Desktop Users’ and also find the root cause – which in this case is a Microsoft bug: http://support2.microsoft.com/kb/2834976
I was slightly irked that this was NOT listed in the Citrix recommended MS hotfix list – but it did have a seperate Citrix article: http://support.citrix.com/article/CTX134318 which helped track it down.