Citrix WEM – Locked out of Management Console?

Reading Time: 2 minutes

During a cleanup task in my lab environment I deleted an OU in Active Directory which contained a security group that has been assigned to the “Full Access” permission in Citrix Environment Management. When I tried connecting to the WEM infrastructure server I received the following error message:

“You are not registered as a Workspace Environment Management Administrator. Therefore, you are not allowed to access the service. Please contact your Workspace Environment Management Administrator to gain access.”

To get back access to the WEM console, we could easily restore the deleted security group with the help of Active Directory recycle bin (if it is enabled) OR we could have a look at the tables of the SQL database and figure out a different way to get back access to console.

With the following SQL query we can see which users and groups are listed for the administrative access to the WEM console.

2019-06-30 12_23_26-mRemoteNG - confCons.xml - XDC-01

The group with the SID “S-1-5-21-2144917800-3565007536-2997083959-500” is the one which got deleted. Note: Even if the user or group is still available in Active Directory you will always see the SID and never the common name.

Explanation of the available attributes:

1: Enabled
0: Disabled

1: User-Account
2: Security-Group



First of all we are going to create a new security group “WEM_FullAccess” and determine the SID of it —> Get-ADGroup -Identity “WEM_FullAccess”

2019-06-30 13_11_00-mRemoteNG - confCons.xml - DC-01

Now we can edit the table “dbo.VUEMAdministrators” and swap the orphaned SID with the one we just created. Close the opened table otherwise the change will not apply.

2019-07-01 06_40_57-Window


2019-07-01 06_59_09-Window

At this point we should be able to login to the WEM console again.

2019-07-01 06_46_21-Window.png

We are having back access to the Workspace Environemnt Management Console. I hope this is helping some people who have been as stupid as me 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *