Often times it is necessary to set up multiple identical sites. One key tenant in enabling efficient IT delivery today is having automation. As administrators, you must find the balance between the need to automate and the deadline for delivery. To that end, rather than focusing on an end-to-end automated site install (where others have done an excellent job at that!) I wanted to focus on an often overlooked but valuable feature of XenApp and XenDesktop 7.x – Roles and Scopes.
By default, XenApp and XenDesktop 7.x come with a number of pre-defined roles that are fairly functional – Read Only, Help Desk Administrator, Full Administrator, Host Administrator, and Machine Catalog Administrator. Most Citrix Admins I know generally receive Full Administrator and provide Help Desk Administrator to their users. However, there is one default in that role that can be problematic in the wrong hands: Reset profile. To that end, I like to create a slightly more “restricted” Help Desk role that removes this singular permission. Additionally, in Director, the Help Desk Administrator cannot see Trends, Dashboard, or Filters. For that, we will create an “Operator” role.
First, a function to create the roles.
function CreateXAXDRoles {
<
.SYNOPSIS
Create Roles from CSV
.DESCRIPTION
Create XenDesktop roles based on a mapping from CSV Values. The CSV Header should contain RoleName,Permissions,description
Permissions should be colon (:) separated
.EXAMPLE
CreateXDAdministrators -csvData (import-csv C:\temp\roles.csv)
.PARAMETER csvData
CSV Data from Import-CSV
CSV Format
COMPANY HelpDesk Administrator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_MachineDetails_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator, without Reset Profile or Reset VDisk)"
COMPANY Operator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_ResetVDisk:UPM_Reset_Profiles:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_Dashboard_Read:Director_SliceAndDice_Read:Director_MachineDetails_Read:Director_Trends_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator with Trends, Filters, and Dashboard enabled)"
.LINK
http://www.atumvirt.com
>
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
param
(
[Parameter(Mandatory=$True,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$True,
HelpMessage='Supply the csvData object')]
$csvData
)
begin {
}
process {
write-verbose "Beginning process loop"
foreach ($row in $csvData)
{
Write-Verbose "Processing $($row.ADGroupName)"
$logId=[GUID]::NewGUID()
Get-LogSite -AdminAddress $controllerAddress
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create role `'$($row.RoleName)`'"
try {
New-AdminRole -AdminAddress $controllerAddress -Description $($row.RoleDescription) -LoggingId $logId -Name $($row.RoleName)
$permissions=$row.permissions.split(":")
Add-AdminPermission -AdminAddress $controllerAddress -LoggingId $logId -Permission $permissions -Role $($row.RoleName)
$tryResult=$true
}
catch {
$tryResult=$false
}
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult
# Script completed successfully
}
}
}
Next, a function to create the Administrators themselves.
function CreateXAXDAdministrators {
<
.SYNOPSIS
Create Administrators from CSV
.DESCRIPTION
Create XenDesktop administrators based on a mapping from CSV Values. The CSV Header should contain ADGroupName,RoleName,Scope.
.EXAMPLE
CreateXDAdministrators -csvData (import-csv C:\temp\roleScopeMatrix.csv)
.PARAMETER csvData
CSV Data from Import-CSV
CSV Format
contoso\CitrixLevel1,Read Only,All
contoso\CitrixLevel2,COMPANY Help Desk Administrator,All
contoso\CitrixLevel3,COMPANY Operator,All
contoso\CitrixLevel4,Full Administrator,All
contoso\CitrixSeattle1,Read Only,Seattle
contoso\CitrixSeattle2,COMPANY Help Desk Administrator,Seattle
contoso\CitrixSeattle3,COMPANY Operator,Seattle
.LINK
http://www.atumvirt.com
>
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
param
(
[Parameter(Mandatory=$True,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$True,
HelpMessage='Supply the csvData object')]
$csvData
)
begin {
}
process {
write-verbose "Beginning process loop"
foreach ($row in $csvData)
{
Write-Verbose "Processing $($row.ADGroupName)"
$logId=[GUID]::NewGUID()
Get-LogSite -AdminAddress $controllerAddress
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create Administrator `'$($row.ADGroupName)`'"
try {
New-AdminAdministrator -AdminAddress $controllerAddress -Enabled $True -LoggingId $logId -Name "$($row.ADGroupName)"
Add-AdminRight -AdminAddress $controllerAddress -Administrator "$($row.ADGroupName)" -LoggingId $logId -Role "$($row.Role)" -Scope $($row.Scope)
$tryResult=$true
}
catch {
$tryResult=$false
}
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult
# Script completed successfully
}
}
}
Finally, we create the scopes
function CreateXAXDScopes {
<
.SYNOPSIS
Create Scopes from CSV
.DESCRIPTION
Create XenApp/XenDesktop scopes based on a mapping from CSV Values. The CSV Header should contain ScopeName,MachineCatalog,DeliveryGroup,HypConnection
.EXAMPLE
CreateXDAdministrators -csvData (import-csv C:\temp\ScopeMatrix.csv)
.PARAMETER csvData
CSV Data from Import-CSV
CSV Format
SeattleScope,MC_Seattle,DG_Seattle,Seattle_vCenter
PortlandScope,MC_Portland,DG_Portland,Portland_vCenter
.LINK
http://www.atumvirt.com
>
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
param
(
[Parameter(Mandatory=$True,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$True,
HelpMessage='Supply the csvData object')]
$csvData
)
begin {
}
process {
write-verbose "Beginning process loop"
foreach ($row in $csvData)
{
$logid=[GUID]::NewGUID()
Get-LogSite -AdminAddress $controllerAddress
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Add Administrator Scope `'$($row.scopeName)`'"
try{
New-AdminScope -AdminAddress $controllerAddress -LoggingId $logid -Name $($row.scopeName)
#Add delivery group to Scope
if(!([string]::IsNullOrWhiteSpace($($row.deliveryGroup)))){
Write-Verbose "DeliveryGroupName is not null, empty, or whitespace"
Add-BrokerScope -AdminAddress $controllerAddress -DesktopGroup $($row.deliveryGroup) -InputObject @($($row.scopeName)) -LoggingId $logid
}
$createdScope=Get-AdminScope -AdminAddress $controllerAddress -name $($row.scopeName)
#Add HypConnection to scope
if(!([string]::IsNullOrWhiteSpace($($row.HypConnection)))){
Write-Verbose "ScopeName is not null, empty, or whitespace"
$hypconUID=$($(Get-BrokerHypervisorConnection $row.HypConnection).HypHypervisorConnectionUid)
Add-HypHypervisorConnectionScope -AdminAddress $controllerAddress -HypervisorConnectionUid $hypconUID -Scope $($createdScope).id
}
#Add machine catalog to Scope
if(!([string]::IsNullOrWhiteSpace($($row.MachineCatalog)))){
Write-Verbose "MachineCatalog is not null, empty, or whitespace"
Get-BrokerCatalog -AdminAddress $controllerAddress -Name $($row.MachineCatalog)
Add-BrokerScope -AdminAddress $controllerAddress -Catalog $($row.MachineCatalog) -InputObject @($row.MachineCatalog) -LoggingId $logid
}
$tryResult=$true
}
catch { $tryResult=$false}
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logid -IsSuccessful $tryResult
}
}
}
To use these functions, we require CSV data. The CSVs require all fields specified in the function comments. In order to obtain the permission names, I suggest you manually create the role with the desired permissions, then click the “Citrix Studio” node, find the Powershell tab, then copy the permissions from that tab. It will save a significant amount of time.
Finally, we need to call these functions. Here we will populate the path to our CSV sheets.
#Now that we've defined the functions, specify our data and actually call them $controllerAddress="XDController.contoso.local:80" $roleCsv=import-csv "C:\temp\roleList.csv" $scopeList=import-csv "C:\temp\scopeList.csv" $roleScopeMatrix=import-csv "C:\temp\roleScopeMatrix.csv" CreateXAXDRoles $roleCsv CreateXAXDScopes $scopeList CreateXAXDAdministrators $roleScopeMatrix
Repeat this on each additional XenApp and XenDesktop site you need to, or combine with other methods. You can create delegated administration in mere moments!