Yep, me too. With TSConSec the Reset does not show in the GUI. However, if it's not set, then the Logoff permission will not be selected. This can be quite frustrating to work out, so be careful. But you can also use the win32_tspermissionssetting WMI Class... Here is an extract from one of my scripts... -------start of script------- Call ListenerPerms("ICA-TCP","Shadowers") wscript.quit(0) Sub ListenerPerms(strListener,strGroup) Dim wshnetwork, strComputer, objWMIService, colitems, i, errResult, objitem, itm, intQuery, intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect Set wshnetwork = WScript.CreateObject("wscript.network") strComputer = wshnetwork.ComputerName Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") set colitems = objwmiservice.execquery("select * from win32_tspermissionssetting where terminalname='" & strListener & "'") for each i in colitems errResult = i.addaccount(lcase(strGroup),0) next ' Note that we must use the actual computer name and not a "." set objitem = objwmiservice.execquery("select * from win32_tsaccount where AccountName ='" & strComputer & "\\" & strGroup & "'") for each itm in objitem intQuery = itm.modifypermissions(0,True) intLogoff = itm.modifypermissions(2,True) intShadow = itm.modifypermissions(4,True) intLogon = itm.modifypermissions(5,True) intMsg = itm.modifypermissions(7,True) intConnect = itm.modifypermissions(8,True) intDisconnect = itm.modifypermissions(9,True) next Set wshnetwork = Nothing Set objWMIService = Nothing set colitems = Nothing set objitem = Nothing end sub -------end of script------- This runs in my build scripts, but you can run it afterwards using PSEXEC. It will also probably work as a Startup script too. I hope that helps. Cheers, Jeremy. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Wood Sent: Friday, March 27, 2009 8:59 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003 I've always scripted this as part of the unattended install using tsconsec.exe - I think because the values are stored in a binary key rather than being permission on a registry setting e.g. run tsconsec command on the server as part of the build: TSConSec.exe /t:ica /a:Helpdesk /p:RS /q Would set the helpdesk group to be able to reset and shadow on ica sessions. If you wanted to do a farm download psexec and run a for command Create a list of your servers - put that in servers.txt for /f "skip=3" %i in (servers.txt) do psexec \\% tsconsec.exe <http://www.brianmadden.com/forum/file:/%25%20tsconsec.exe/> /t:ICA /a:YourGroup /p:Flags /Q http://portal.loginconsultants.nl/forum/attachments/TsConSec1201.zip hth From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Stratton, Doug ISMC:EX Sent: 26 March 2009 22:19 To: thin@xxxxxxxxxxxxx Subject: [THIN] XA 4.5 ICA permissions windows 2003 Hi, Just wondering if anyone knows how to set the sercurity permissions on the ICA-TCP listener with policy (ms gp or citrix). At this point we have to set it on each server manually and wondering if it can be done otherwise? We do now have GP Preferences. Regards, Doug Stratton, Shared Service BC Service Desk Email: 77000@xxxxxxxxx Service Desk Tel: (250)387-7000 ##################################################################################### Confidentiality and Privilege Notice This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. #####################################################################################