As it stands currently, the WorkAnywhere portal only allows users to be assigned to a single collection. When a user downloads their RDP file from https://myrdp.download/, the RDP file that is download is configured based on the collection the user is assigned in the WorkAnywhere portal. If a user belongs to two different collections at the same time it is unlikely they will be able to download a properly configured RDP file. Due to this limitation a workaround will have to be implemented to grant a user access to applications in multiple collections. We are working on implementing a solution for this in the WorkAnywhere portal, and we will notify all of our clients upon release.
Create a security group in the WorkAnywhere portal that contains all the users you would like to grant access to the application that exists in another collection. In this example, we’ll be creating the Mozilla Firefox security group and adding the test three user. The Mozilla Firefox application is going to be assigned to a collection called Web Browsers.
If you’re unsure how to create a security group in the WorkAnywhere portal, please refer to our Help Library: Security Groups | itopia Help Center
Now, go to the Applications module, and assign the application to your desired collection & Security Group. In this example, we’ll be assigning the Mozilla Firefox application to the Web Browsers collection and Mozilla Firefox security group.
If you’re unsure how to install an application in the WorkAnywhere portal, please refer to our Help Library: Applications | itopia Help Center
Once the application has finished updating based on the changes you just made, login to your Primary Domain Controller
While logged into your Primary Domain Controller and open Active Directory Users and Computers. Click on the magnifying glass in the bottom left corner and begin typing Active Directory Users and Computers to bring it up.
In Active Directory Users and Computers, navigate to the below path
Insert-Domain-Name-Here →Insert-Deployment-code Deployment Name ---> BGroups
In the right-hand pane, you will see your collection group as well as all of your application allow groups. In order for a user to successfully see an application in RDWeb, they must meet the below criteria:
● The user must belong to the allow group, whether directly, or through another security group.
● The user must belong to the collection group, whether directly, or through another
security group.
The names of the collection groups, and allow application groups will be needed later on. Please make note of them, or simply go back to your B Groups OU by referring to the screenshot above.
Now, navigate to the path below
Insert-Domain-Name-Here →Insert-Deployment-code Deployment Name ---> Groups
On the left-hand pane, you will see all the Security Groups that you have created for your deployment.
Double-click on your desired security group and click on the Members tab. Double check that the correct user belongs to this group. In this example, the only user that should be part of this group is t3, because that user is currently assigned to the Default collection, and we want this user to have access to applications in the Web Browsers collection.
Now, click on the Members Of tab. Here, you’re going to add in the collection that contains the application(s) that you want users of this group to have access to. WorkAnywhere typically follows the below naming convention for collection groups.
collection-(insert-collection-name-here)
Following our example, we’re going to add in the collection-webbrowsers group to the Members Of tab
Next, we’re going to add in the Allow groups for the application. Without it, the user will not see the application in RDWeb.
If you would like to double-check what the name of your application group is, navigate to the BGroups OU as explained in the beginning of this section.
In this example, the name of the application group for Mozilla Firefox is Allow-16301-7206
We’re going to add the Allow application group to the Members Of tab in the Mozilla Firefox Security Group. In this example, the Allow group is called Allow-16301-7206
Click Apply and then OK when complete.
Now, login to your Broker server.
Click on the Windows icon in the bottom left corner of the screen and search for Services. Click on the Services Desktop app when it appears.
Search for the Remote Desktop Connection Broker service and click on Restart
When the service is done restarting, navigate to your RDweb page, and login as a user that belongs to the Security Group that was worked on in this Help center article.
Congratulations, you have successfully assigned an application(s) to a user via Security Group!
Note that the Notepad Plus application and the Mozilla Firefox application both belong to different collections. The fact that we are now able to see them both at the same time on the RDweb page confirms that the steps taken in this guide were successful.
Fin.
Using A Script to Re-add Users To The Appropriate Groups
To understand this script, we must first realize that WorkAnywhere provides access to an application via an allow security group. In the description of the allow security group, you will find the name of the application. The script being used as an example will specifically target all application groups with the word BROWSER in them, and adding them to the WEB BROWSER security group. You can substitute your own values that correspond to your specific situation.
Below is an example of what the script looks like without placeholders
__________________________________________________________________
import-module activedirectory
$browser_groups = get-adgroup -Filter "description -like '*BROWSER'"
foreach ($browser_group in $browser_groups){
if ((get-adgroupmember $browser_group).name -ne "WEB BROWSERS"){
add-adgroupmember -Members "WEB BROWSERS" -Identity $browser_group}
}
__________________________________________________________________
Below is an example of the script with our browser placeholders
__________________________________________________________________
import-module activedirectory
$insert-group-name-here_groups = get-adgroup -Filter "description -like
'*insert-name-of-application-here'"
foreach ($insert-group-name-here_group in $insert-group-name-here_groups){
if ((get-adgroupmember $insert-group-name-here_group).name -ne
"insert-security-group-name-here"){
add-adgroupmember -Members "insert-security-group-name-here" -Identity
$insert-group-name-here_group}
}
__________________________________________________________________
In short, this script looks for all Security groups whose name ends in BROWSER. From there, for each Security group whose name ends in BROWSER, the WEB BROWSERS security group will be added. For this purpose, we have placed the word BROWSER at the end of all of our applications. We will break down each line below, to provide more context.
import-module activedirectory
The first line adds the Active Directory module to the current session. The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package.
$browser_groups = get-adgroup -Filter "description -like '*BROWSER'"
The second line defines the $browser_groups variable that we are using. Note that in your script, you don’t have to name your variable $browser_groups, we simply chose this because it is relevant to the situation present in this article. You are free to name your variable whatever you want.
Specifically, this line uses the Get-ADGroup cmdlet, which gets a group or performs a search to retrieve multiple groups from an Active Directory. The Identity parameter specifies the Active Directory group to get. You can identify a group by its distinguished name (DN), GUID, securityidentifier (SID), Security Accounts Manager (SAM) account name, or canonical name. You can also specify a group object variable, such as $<localGroupObject>.
To search for and retrieve more than one group, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter.
foreach ($browser_group in $browser_groups){
The third line contains the ForEach-Object cmdlet, which is used to perform an operation against each item in a collection of input objects. This line is basically saying: For each group that ends in browsers, the script is going to perform what is written in the following lines.
if ((get-adgroupmember $browser_group).name -ne "WEB BROWSERS"){
The fourth line uses the Get-ADGroupMember cmdlet, which gets the members of an Active Directory group. Members can be users, groups, and computers. The Identity parameter specifies the Active Directory group to access. You can identify a group by its distinguished name, GUID, security identifier, or Security Account Manager (SAM) account name.
You can also specify the group by passing a group object through the pipeline. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Get-ADGroupMember cmdlet. If the Recursive parameter is specified, the cmdlet gets all members in the hierarchy of the group that do not contain child objects. This line is getting all of the groups that end in BROWSERS and checking to see if they belong to the WEB
BROWSERS group
add-adgroupmember -Members "WEB BROWSERS" -Identity $browser_group}
}
The fifth (and last) line uses the Add-ADGroupMember cmdlet, which adds one or more users, groups, service accounts, or computers as new members of an Active Directory group.
The Identity parameter specifies the Active Directory group that receives the new members. You can identify a group by its distinguished name, GUID, security identifier, or Security Account Manager (SAM) account name. You can also specify group object variables, such as $<localGroupObject>, or pass a group object through the pipeline to the Identity parameter. For example, you can use the Get-ADGroup cmdlet to get a group object and then pass the object through the pipeline to the Add-ADGroupMember cmdlet.
The Members parameter specifies the new members to add to a group. You can identify a new member by its distinguished name, GUID, security identifier, or SAM account name. You can also specify user, computer, and group object variables, such as $<localUserObject>. If you are specifying more than one new member, use a comma-separated list. You cannot pass user, computer, or group objects through the pipeline to this cmdlet. This line follows the previous line. If the groups from the previous line don’t belong to the WEB BROWSERS group, then they will get added to the WEB BROWSERS group.
This same script can be used for multiple groups. If you have multiple applications that needs to be assigned via Security Group, you can simply copy and paste the script a second time, but with different placeholders that correspond to your specific situation. We’ve provided an example below.
__________________________________________________________________
import-module activedirectory
$insert-group-name-here_groups = get-adgroup -Filter "description -like
'*insert-name-of-application-here'"
foreach ($insert-group-name-here_group in $insert-group-name-here_groups){
if ((get-adgroupmember $insert-group-name-here_group).name -ne
"insert-security-group-name-here"){
add-adgroupmember -Members "insert-security-group-name-here" -Identity
$insert-group-name-here_group}
}
$insert-group-name-here_groups = get-adgroup -Filter "description -like
'*insert-name-of-application-here'"
foreach ($insert-group-name-here_group in $insert-group-name-here_groups){
if ((get-adgroupmember $insert-group-name-here_group).name -ne
"insert-security-group-name-here"){
add-adgroupmember -Members "insert-security-group-name-here" -Identity
$insert-group-name-here_group}
}
__________________________________________________________________
NOTE: This is a workaround, and for the most part, everything in this guide is done outside of WorkAnywhere. By editing the composition of Security Groups, you assume the liability of making changes to the Windows OS outside of WorkAnywhere. Our primary scope of support is limited to the automation that WorkAnywhere provides , such as additional servers being built via Autoscale, or servers being powered on/off via our Dynamic Uptime feature. If you choose to follow the steps in this guide, you should be experienced with navigating Active Directory. While we will do our best to assist you in the event that you run into an issue, please be aware that this is outside our primary scope of support, so ultimately, we are not responsible for any incidents that come from following this guide. We are simply providing our customers with a framework to follow.