Yes, my statement was too general. It depends on the exact structure of your AD in terms of OUs and Groups- CAG is somewhat limited in what how it can traverse and understand AD objects. If you want more specific control you can add a RADIUS authentication server and get a lot more granular.... Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chad Schneider (IT) Sent: Wednesday, January 23, 2008 5:47 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CAG Default User Group That does not appear to be correct. So long as an AD user (even if they are not in a corresponding CAG group) signs onto the CAG, they can sign on successfully. What can they get to, appears to be not much, but what I have done is pass them to a WI page, and since they are not in a group granting rights to applications via that WI site, they get an empty WI page, and I have also limited them to TCP 1494. Chad Schneider Systems Engineer ThedaCare IT 920-735-7615 >>> "Steve Greenberg" <steveg@xxxxxxxxxxxxxx> 01/22/08 3:11 PM >>> Exactly, AD authentication is looking to match a local CAG group with the AD group. If you assign no resource to the default group, there is nothing to access and no users in the group who can log in... Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chad Schneider (IT) Sent: Tuesday, January 22, 2008 1:42 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CAG Default User Group AD This is making more sense, as long as they are in AD, they have rights to sign on, as they are "default" users. I set this to a WI site, that has no available applications, so they sign on, they basically get nothing. >>> On 1/22/2008 at 2:31 PM, <steveg@xxxxxxxxxxxxxx> wrote: Are you using AD and/or Radius to authenticate the users that you want to have access? Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85266 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chad Schneider (IT) Sent: Tuesday, January 22, 2008 11:54 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] CAG Default User Group I want to only allow users in my created groups, access to my Citrix Access Gateway. unfortunately, the default group is quite open. It can not be deleted. Suggestions as to how to lock out users from the Access Gateway, if they are not in a specified group? Chad Schneider Systems Engineer ThedaCare IT 920-735-7615 ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************