Citrix XenApp 6.5 and Powershell

-
Cool! Citrix has powershell.  First thing I did was run a request to update all the group memberships from a confusing array of what looks like an organic process whereby users and groups are used with abandon to ACL Citrix applications.

So what I did was list out all the applications and then using Quest AD tools create groups called "XenApp - " + <application name> this worked great!

I couldn't get the remoting to work - we don't have a PKI here?!?!  SO this is a two stage process, output the applications to a csv and the import to create the groups.

Next I populated each application with these groups.  Nothing worked.  I first thought that the error - Cannot find group - meant that replication hadn't happened.  So I waited.  This was not the case.

It seems that Quest AD tools do not create the pre-Windows 2000 name for the group.  This is what Citrix uses to ensure that the group exists before it will assign this to an application.

I could not find a way around this, I tried setting the SAMAccountName which looks like it should work but this fails (for me).

Anyways I bit the manual bullet and put the names in by hand.  Ergh!

Then everything worked fine.  

 I had a script to get all my apps.  One more to create the groups called the app names - I stuck "XenApp - " on the front of the group names and a final script to assign those groups back to the applications.

For what it is worth here is my powershell:

Citrix one liner:
Get-XAApplication | Select DisplayName

Quest stuff:
# add Quest AD Snap In
Add-PSSnapin Quest.activeroles.admanagement -ErrorAction SilentlyContinue

 # Read in application list
$grouplist = Get-Content C:\Scripts\applications.csv

 $ou = Get-QADObject("OU=CITRIX,OU=GROUPS,DC=DOMAIN,DC=COM")

 # Now make a group for each Application
foreach($group in $grouplist){

     # Get the Name of the group
    $name = "XenApp - " + $group
    $iName = $name.Replace(" ","_")
    $iName
    New-QADGroup -ParentContainer $OU -Name $name -DisplayName $name -GroupType Security -GroupScope Global -SamAccountName $iName
}

Citrix Stuff again
# Get the list of all the applications
$applist = Get-XAApplication

 foreach($app in $applist){

     $account = "DOMAIN\XenApp - " + $app.DisplayName
    Add-XAAccount -BrowserName $app.DisplayName -Accounts $account
}

Comments

Post a Comment

Popular posts from this blog

PXE booting, MDT and 802.1x

-
Image
Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine ...
Read more

NetScaler VPX and Exchange 2010

-
Image
From the title you can guess that we have Exchange 2010 (SP1 CU6 - with Hotfix for EVault) and we are using NetScaler VPX to load balance the services.  I used the excellent document from Citrix to configure the NetScalers (we have two in active/active - sort of using VMACs to split the traffic RPC to one, HTTP(S) and SMTP to the other). However I found a document from Microsoft which points out that there is "significant performance penalty" if we configure incorrect persistence for EAS.  The Microsoft document is here: http://technet.microsoft.com/en-us/library/ff625248.aspx This put us in a pickle and no mistake.  This is because in a NetScaler persistence is per vServer.  We have one vServer for HTTPS as we have one IP address for all HTTP traffic.  This vServer would then deal with all HTTPS traffic including OWA,ECP,EWS,RPC over HTTPS and EAS.  OWA requires cookie based persistence, this is also the method the Citrix doc...
Read more

Security Policy 1001

-
We had an annoying warning showing every 5 minutes on our Read Only Domain Controllers.  This didn't affect service but meant we were losing our logs of important events (should the have occurred) "Security policy cannot be propagated. Security Configuration Server (in services.exe) is not ready. This is probably in system reboot. Policy will be tried again in the next propagation." Source: SceCli Event: ID 101 We tracked this down to a GPO which was populating the local Administrators group. Obviously a Domain Controller has no local users or groups so this was causing the issue. Ensuring that the GPO did not apply to the Domain Controllers - yes the GPO was linked at the root! fixed the issue. It is strange that we did not see the warnings on our main Domain Controllers only on the Read Only DC's as this would have affected all DCs the same (I would have thought)
Read more