Spread the love

Background:

There are two services that handle much of Citrix’s App-V integration tasks.

1.) The Citrix Application Library Service running on the Delivery Controller is responsible for importing App-V packages into Studio.
2.) The Citrix Desktop Service (specifically, the App-V broker agent plug-in that is part of this service) running on the VDA that is responsible for copying the App-V packages from the package share location to the local c:\windows\temp\CitrixAppVPkgCache folder.

Both of these services run under the context of Microsoft’s NetworkService account.

When the NetworkService account on a machine makes a request for a network resource, it does not identify itself as the NetworkService account.  It instead presents the access token that contains the SIDs of the following three accounts:

1.) The computer account on which the service is running on
2.) The Authenticated Users group
3.) The Everyone group

Therefore, you can reference any one of the above accounts when assigning permissions to the NetworkService running on a remote machine.

Permission Requirements:

In Dual Admin Mode implementations, the following permissions are required:

1.) The following accounts require at least effective READ share and NTFS permissions on the App-V package shared folder:

  1. Any one of the following accounts: The computer account of the Delivery Controller (or the Authenticated Users or Everyone group). 
  2. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group).
  3. The user account(s) who will be launching the application.

Assigning READ permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.

In Single Admin Mode implementations, the following permissions are required:

1.) The following accounts require at least effective READ share and NTFS permissions on the App-V package shared folder: 

  1. Any one of the following accounts: The computer account of the Delivery Controller (or the Authenticated Users or Everyone group). 
  2. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group). 
  3. The user account(s) who will be launching the application.

Assigning READ permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.

2.) The following accounts require at least effective READ and WRITE NTFS permissions on the c:\windows\temp\citrixappvpkgcache folder on the VDA:

  1. Any one of the following accounts: The computer account of the VDA (or the Authenticated Users or Everyone group). 
  2. The user account(s) who will be launching the application.

Assigning READ/WRITE permissions to only the Everyone or Authenticated Users group above would satisfy all access requirements.

NOTE: In versions 7.14 and newer, the citrixAppvPackageCache folder is no longer created/used.

Ref: https://support.citrix.com/article/CTX221296