Many Enterprise environments now use GPO/Restricted Groups to lock down administrative access to a number of servers/or collection of Storefront Server.
After installing Storefront the following 2 Groups will appear in the Local Administrators Group of the Storefront Server.
NT SERVICE\CitrixClusterService
NT SERVICE\CitrixConfigurationReplication
If using Restricted GPO, the above NT Service accounts cannot be added. The below message appears when trying to add the account.
This essentially leaves you in a position where previous restricted groups will apply but the 2 Citrix NT Service will be removed.
This can lead the propagation issues, server not reachable, configuration out of date messages.
Solution 1:
Don’t use Restricted Groups, or Block Inheritance
Solution 2(Recommended):
Browsing to the following (replacing Lab/Lab.Local with your domain name)
\\lab\sysvol\lab.local\Policies\{GPO-GUID}) – {GPO-GUID}) can be found on the GPO Details Tab – Unique ID (as per below as example)
and then browse to Machine\Microsoft\Windows NT\SecEdit\GPTTMPL.INF for editing
Browse through until you see the below (*S-1-5-32-544 is the Administrator Group SID)
[Group Membership]
*S-1-5-32-544__Members = GROUPSID, GROUPSID,
Add “NT SERVICE\CitrixClusterService, NT SERVICE\CitrixConfigurationReplication” to the end of the Members. Please ensure that “,” is added to the last Group SID before adding into Citrix NT Service Accounts. Click Save.
Browse back to the Restricted Groups and the below NT Service Accounts have now been added.
A reboot of each Storefront Server, and propagation issues, server not reachable, configuration out of date should now be resolved.
Hello David; You have no idea how greatful I am for this solution!!! Many, Many thanks.
Glad it helped!
You are amazing