I have some users who want to test a Xenapp application using some generic accounts (I don't like to use generic accounts but for reasons I won't go into, they are necessary). I want to setup the accounts such that they can only login to the Xenapp servers and not locally.
A requirement is that the users browse to a specific webpage (Citrix Netscaler) https://application.domain.com and they login using the generic AD account. At that point the published application is presented to them. I believe the Netscaler authenticates with one of our domain controllers so I'm trying to limit access within AD.
Under the generic account in the Account tab in AD Users and Computers I clicked on Log On To button and added all of the xenapp servers, xenweb servers, and netscaler. However the account us unable to login on the initial webpage (it works fine if I set Log On To = All Computers).
Any insight on what I should configure or where to look would be very helpful. Thanks.
The thing I understood was you want to authenticate users from AD integrated application but don't want them to login on a computer joined to domain. The option I would like to use for this problem is to restrict login access in Group Policy Editor. You can find this option in:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Deny log on locally.