I've always scripted this as part of the unattended install using tsconsec.exe - I think because the values are stored in a binary key rather than being permission on a registry setting e.g. run tsconsec command on the server as part of the build: TSConSec.exe /t:ica /a:Helpdesk /p:RS /q Would set the helpdesk group to be able to reset and shadow on ica sessions. If you wanted to do a farm download psexec and run a for command Create a list of your servers - put that in servers.txt for /f "skip=3" %i in (servers.txt) do psexec \\% <http://www.brianmadden.com/forum/file:/%25%20tsconsec.exe/> tsconsec.exe /t:ICA /a:YourGroup /p:Flags /Q http://portal.loginconsultants.nl/forum/attachments/TsConSec1201.zip hth From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Stratton, Doug ISMC:EX Sent: 26 March 2009 22:19 To: thin@xxxxxxxxxxxxx Subject: [THIN] XA 4.5 ICA permissions windows 2003 Hi, Just wondering if anyone knows how to set the sercurity permissions on the ICA-TCP listener with policy (ms gp or citrix). At this point we have to set it on each server manually and wondering if it can be done otherwise? We do now have GP Preferences. Regards, Doug Stratton, Shared Service BC Service Desk Email: 77000@xxxxxxxxx Service Desk Tel: (250)387-7000