Assigning published applications to users may be a very simple task, but if not managed well, it can end up creating more problems. I have seen customers assigning individual user accounts to the published apps in the Citrix admin console and this can get very problematic as there are danger of assignment inconsistency. Usually, we use Active Directory groups to manage the assignments. In Microsoft world, there are 3 types of AD groups – domain local, global and universal group. I am frequently asked by customers what is the best practice in managing the applications assignment, and I would refer them to Microsoft’s best practice (scroll to the last section of the page).

According to Microsoft’s recommendation, use Domain local group to manage access to resources, i.e. published apps. Next, use global groups to manage users in a particular domain, then grant the users access to the published apps by making the global groups a member of the local group. Finally there is universal group which can consolidate global groups from different domains, but so far I have not come across customers using universal groups yet.

To give a XenApp specific scenario for example, let’s say there are two different domains, Domain A and Domain B, and the XenApp servers are in Domain A. To assign, let’s say HR users from both Domains to the published apps, create global groups “G_HR” for each Domains and assigned the HR users  to the respective Domain global group. In the XenApp servers’ domain (Domain A), create a local group for each applications and make the “DomainA\G_HR” and “DomainB\G_HR” member of these local groups if they need to use the applications.

Even if there is only 1 Domain, I would recommend to use this approach. If there is a need to migrate your users or XA servers to a different Domain in the future, it may help to make the transition smoother.