During a cleanup task in my lab environment I deleted an OU in Active Directory which contained a security group that has been assigned to the “Full Access” permission in Citrix Environment Management. When I tried connecting to the WEM infrastructure server I received the following error message:
“You are not registered as a Workspace Environment Management Administrator. Therefore, you are not allowed to access the service. Please contact your Workspace Environment Management Administrator to gain access.”
To get back access to the WEM console, we could easily restore the deleted security group with the help of Active Directory recycle bin (if it is enabled) OR we could have a look at the tables of the SQL database and figure out a different way to get back access to console.
With the following SQL query we can see which users and groups are listed for the administrative access to the WEM console.
|
1 2 3 |
SELECT TOP (1000) [IdAdmin] ,[Name] ,[State] ,[Type] ,[Permissions] ,[RevisionId] FROM [WEM].[dbo].[VUEMAdministrators] |
The group with the SID “S-1-5-21-2144917800-3565007536-2997083959-500” is the one which got deleted. Note: Even if the user or group is still available in Active Directory you will always see the SID and never the common name.
Explanation of the available attributes:
State
1: Enabled
0: Disabled
Type
1: User-Account
2: Security-Group
Permissions
|
1 2 3 4 5 |
Full-Access <?xml version="1.0" encoding="utf-8"?><ArrayOfVUEMAdminPermission xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><VUEMAdminPermission><idSite>0</idSite><AuthorizationLevel>FullAccess</AuthorizationLevel></VUEMAdminPermission></ArrayOfVUEMAdminPermission> ReadOnly <?xml version="1.0" encoding="utf-8"?><ArrayOfVUEMAdminPermission xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><VUEMAdminPermission><idSite>0</idSite><AuthorizationLevel>ReadOnly</AuthorizationLevel></VUEMAdminPermission></ArrayOfVUEMAdminPermission> |
Solution
First of all we are going to create a new security group “WEM_FullAccess” and determine the SID of it —> Get-ADGroup -Identity “WEM_FullAccess”
Now we can edit the table “dbo.VUEMAdministrators” and swap the orphaned SID with the one we just created. Close the opened table otherwise the change will not apply.
At this point we should be able to login to the WEM console again.
We are having back access to the Workspace Environemnt Management Console. I hope this is helping some people who have been as stupid as me 🙂