You can configure broker agent to use non-admin user for Citrix Desktop Delivery Controller.

Prerequisites

If you want to configure broker agent to use Read-Only/Custom administrator for connecting to Citrix delivery controller, follow these steps:

  • Ensure that the Read-Only/Custom Administrator has read access to Site and Monitoring Databases.

  • Ensure that Read-Only/Custom Administrator has read/execute/remote access over WinRM, RemotePowershell and WMI (Root\CIMV2).

Procedure

  1. You can achieve this by adding the user to local "Administrators" group of the delivery controller machine.

    or

  2. Follow these steps if you don't want the user to have Administrator access on delivery controller.
    1. Login to delivery controller as full administrator.
    2. Run command winrm configSDDL default from command prompt. Add Read/Execute permissions for Read-Only/Custom Administrator.
    3. Run Set-PSSessionConfiguration -name Microsoft.PowerShell -ShowSecurityDescriptorUI from powershell prompt. Add Read/Execute permissions for Read-Only/Custom Administrator.
    4. Go to Computer Management > Services and Applications > WMI Control.
    5. Right click and select Properties.
    6. Go to Security tab.
    7. Click CIMV2 > Security.

      Add Execute Methods and Remote Enable permissions for Read-Only/Custom Administrator.

    8. Restart the WinRM Service.
    9. Download and install the "subinacl" tool from http://www.microsoft.com/en-us/download/details.aspx?id=23510.
    10. Add Execute Methods and Remote Enable permissions for Read-Only/Custom Administrator.
    11. From Command Prompt, navigate to subinacl installation directory. By default, it gets installed in "C:\Program Files (x86)\Windows Resource Kits\Tools".
    12. Run subinacl.exe /service CitrixBrokerService /grant=DOMAIN\USER_NAME=S.