StoreFront Groups in a Group Policy Restricted Groups Environment

Posted on by Dan Herman

Introduction

I was recently in a position where I had to investigate why a Citrix StoreFront 2.1 (And subsequently 2.5) implementation wasn’t working properly. They had a variety of synchronisation/propagation issues and I also discovered other strange behaviour. It transpired that the environment used Restricted Groups to reconfigure the Local Administrators group on all infrastructure servers. This is a documented problem (http://support.citrix.com/article/CTX138744) as StoreFront requires the following users to be present in the Local Administrators Group:

NT SERVICE\CitrixClusterService
NT SERVICE\CitrixConfigurationReplication

Unfortunately the simple solution of adding the users wouldn’t work, as they would be removed on each refresh of Group Policy. Removing this policy wasn’t an option, though we were able to modify it.

The obvious resolution is to add the above users into your Restricted Groups Policy, but unfortunately the Group Policy GUI doesn’t allow the adding of  “NT SERVICE” users.

Work Around

Browse to the File System path of your Group Policy (e.g., \\domain\sysvol\domain.tld\Policies\{GPO-GUID})  and then browse to Machine\Microsoft\Windows NT\SecEdit\GPTTMPL.INF

\\domain\sysvol\domain.tld\Policies\{GROUP-POLICY-GUID}\Machine\Microsoft\Windows NT\SecEdit\GPTMPL.INF

Where Restricted Groups are configured, this INF file contains the raw configuration, where you should see something along the lines of:

[Unicode]
Unicode=yes
[Version]
signature=”$CHICAGO$”
Revision=1
[Group Membership]
*S-1-5-32-544__Members = *S-1-5-21-12345678-123456789-123456789-513

Where S-1-5-32-544 denotes the “Administrators” group and the SID to the right denotes a user or group that is a member of the administrators group. The configuration can understand both SIDs and full text names and is comma separated. So, to add our Citrix users simply modify the file as follows:

[Unicode]
Unicode=yes
[Version]
signature=”$CHICAGO$”
Revision=1
[Group Membership]
*S-1-5-32-544__Members = *S-1-5-21-12345678-123456789-123456789-513,NT SERVICE\CitrixClusterService,NT SERVICE\CitrixConfigurationReplication

And then, if you go back to the GUI, you’ll see the following:

Restricted Groups GUI

Restricted Groups GUI

And, if those groups exist on a machine where the policy is applied, they’ll be included in the Administrators group.

Share

One thought on “StoreFront Groups in a Group Policy Restricted Groups Environment

  1. CG

    Dan,

    I ran into this same scenario just recently. I was able to bypass this by running the GPO editor from one of the StoreFront servers as a different user (domain admin account). When prompted to add users to the restricted group in the policy, I browsed to the local machine in the user selection screen (From this location) and added the 2 accounts with the “NT Service” prefix.
    The accounts showed up under the local administrators group after a reboot.

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.