You can configure broker agent to use non-admin user for Citrix Desktop Delivery Controller.
If you want to configure broker agent to use Read-Only/Custom administrator for connecting to Citrix delivery controller, follow these steps:
Ensure that the Read-Only/Custom Administrator has read access to Site and Monitoring Databases.
Ensure that Read-Only/Custom Administrator has read/execute/remote access over WinRM, RemotePowershell and WMI (Root\CIMV2).
- You can achieve this by adding the user to local "Administrators" group of the delivery controller machine.
- Follow these steps if you don't want the user to have Administrator access on delivery controller.
- Login to delivery controller as full administrator.
- Run command
winrm configSDDL defaultfrom command prompt. Add Read/Execute permissions for Read-Only/Custom Administrator.
Set-PSSessionConfiguration -name Microsoft.PowerShell -ShowSecurityDescriptorUIfrom powershell prompt. Add Read/Execute permissions for Read-Only/Custom Administrator.
- Go to Computer Management > Services and Applications > WMI Control.
- Right click and select Properties.
- Go to Security tab.
- Click CIMV2 > Security.
Add Execute Methods and Remote Enable permissions for Read-Only/Custom Administrator.
- Restart the WinRM Service.
- Download and install the "subinacl" tool from http://www.microsoft.com/en-us/download/details.aspx?id=23510.
- Add Execute Methods and Remote Enable permissions for Read-Only/Custom Administrator.
- From Command Prompt, navigate to subinacl installation directory. By default, it gets installed in "C:\Program Files (x86)\Windows Resource Kits\Tools".
- Run subinacl.exe /service CitrixBrokerService /grant=DOMAIN\USER_NAME=S.