Exactly, AD authentication is looking to match a local CAG group with the AD group. If you assign no resource to the default group, there is nothing to access and no users in the group who can log in... Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chad Schneider (IT) Sent: Tuesday, January 22, 2008 1:42 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CAG Default User Group AD This is making more sense, as long as they are in AD, they have rights to sign on, as they are "default" users. I set this to a WI site, that has no available applications, so they sign on, they basically get nothing. >>> On 1/22/2008 at 2:31 PM, <steveg@xxxxxxxxxxxxxx> wrote: Are you using AD and/or Radius to authenticate the users that you want to have access? Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chad Schneider (IT) Sent: Tuesday, January 22, 2008 11:54 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] CAG Default User Group I want to only allow users in my created groups, access to my Citrix Access Gateway. unfortunately, the default group is quite open. It can not be deleted. Suggestions as to how to lock out users from the Access Gateway, if they are not in a specified group? Chad Schneider Systems Engineer ThedaCare IT 920-735-7615