Scripted Creation of XenApp and XenDesktop Admin Scopes and Roles


Often times it is necessary to set up multiple identical sites. One key tenant in enabling efficient IT delivery today is having automation. As administrators, you must find the balance between the need to automate and the deadline for delivery. To that end, rather than focusing on an end-to-end automated site install (where others have done an excellent job at that!) I wanted to focus on an often overlooked but valuable feature of XenApp and XenDesktop 7.x – Roles and Scopes.

By default, XenApp and XenDesktop 7.x come with a number of pre-defined roles that are fairly functional – Read Only, Help Desk Administrator, Full Administrator, Host Administrator, and Machine Catalog Administrator. Most Citrix Admins I know generally receive Full Administrator and provide Help Desk Administrator to their users. However, there is one default in that role that can be problematic in the wrong hands: Reset profile. To that end, I like to create a slightly more “restricted” Help Desk role that removes this singular permission. Additionally, in Director, the Help Desk Administrator cannot see Trends, Dashboard, or Filters. For that, we will create an “Operator” role.

First, a function to create the roles.

function CreateXAXDRoles {

<

.SYNOPSIS

Create Roles from CSV

.DESCRIPTION

Create XenDesktop roles based on a mapping from CSV Values. The CSV Header should contain RoleName,Permissions,description

Permissions should be colon (:) separated

.EXAMPLE

CreateXDAdministrators -csvData (import-csv C:\temp\roles.csv)

.PARAMETER csvData

CSV Data from Import-CSV

CSV Format

COMPANY HelpDesk Administrator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_MachineDetails_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator, without Reset Profile or Reset VDisk)"

COMPANY Operator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_ResetVDisk:UPM_Reset_Profiles:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_Dashboard_Read:Director_SliceAndDice_Read:Director_MachineDetails_Read:Director_Trends_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator with Trends, Filters, and Dashboard enabled)"

.LINK

http://www.atumvirt.com

>

[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]

param

(

[Parameter(Mandatory=$True,

ValueFromPipeline=$True,

ValueFromPipelineByPropertyName=$True,

HelpMessage='Supply the csvData object')]

$csvData

)

begin {

}

process {

write-verbose "Beginning process loop"

foreach ($row in $csvData)

{

Write-Verbose "Processing $($row.ADGroupName)"

$logId=[GUID]::NewGUID()

Get-LogSite -AdminAddress $controllerAddress

Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create role `'$($row.RoleName)`'"

try {

New-AdminRole -AdminAddress $controllerAddress -Description $($row.RoleDescription) -LoggingId $logId -Name $($row.RoleName)

$permissions=$row.permissions.split(":")

Add-AdminPermission -AdminAddress $controllerAddress -LoggingId $logId -Permission $permissions -Role $($row.RoleName)

$tryResult=$true

}

catch {

$tryResult=$false

}

Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult

# Script completed successfully

}

}

}

Next, a function to create the Administrators themselves.

function CreateXAXDAdministrators {

<

.SYNOPSIS

Create Administrators from CSV

.DESCRIPTION

Create XenDesktop administrators based on a mapping from CSV Values. The CSV Header should contain ADGroupName,RoleName,Scope.

.EXAMPLE

CreateXDAdministrators -csvData (import-csv C:\temp\roleScopeMatrix.csv)

.PARAMETER csvData

CSV Data from Import-CSV

CSV Format

contoso\CitrixLevel1,Read Only,All

contoso\CitrixLevel2,COMPANY Help Desk Administrator,All

contoso\CitrixLevel3,COMPANY Operator,All

contoso\CitrixLevel4,Full Administrator,All

contoso\CitrixSeattle1,Read Only,Seattle

contoso\CitrixSeattle2,COMPANY Help Desk Administrator,Seattle

contoso\CitrixSeattle3,COMPANY Operator,Seattle

.LINK

http://www.atumvirt.com

>

[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]

param

(

[Parameter(Mandatory=$True,

ValueFromPipeline=$True,

ValueFromPipelineByPropertyName=$True,

HelpMessage='Supply the csvData object')]

$csvData

)

begin {

}

process {

write-verbose "Beginning process loop"

foreach ($row in $csvData)

{

Write-Verbose "Processing $($row.ADGroupName)"

$logId=[GUID]::NewGUID()

Get-LogSite -AdminAddress $controllerAddress

Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create Administrator `'$($row.ADGroupName)`'"

try {

New-AdminAdministrator -AdminAddress $controllerAddress -Enabled $True -LoggingId $logId -Name "$($row.ADGroupName)"

Add-AdminRight -AdminAddress $controllerAddress -Administrator "$($row.ADGroupName)" -LoggingId $logId -Role "$($row.Role)" -Scope $($row.Scope)

$tryResult=$true

}

catch {

$tryResult=$false

}

Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult

# Script completed successfully

}

}

}

Finally, we create the scopes

function CreateXAXDScopes {

<

.SYNOPSIS

Create Scopes from CSV

.DESCRIPTION

Create XenApp/XenDesktop scopes based on a mapping from CSV Values. The CSV Header should contain ScopeName,MachineCatalog,DeliveryGroup,HypConnection

.EXAMPLE

CreateXDAdministrators -csvData (import-csv C:\temp\ScopeMatrix.csv)

.PARAMETER csvData

CSV Data from Import-CSV

CSV Format

SeattleScope,MC_Seattle,DG_Seattle,Seattle_vCenter

PortlandScope,MC_Portland,DG_Portland,Portland_vCenter

.LINK

http://www.atumvirt.com

>

[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]

param

(

[Parameter(Mandatory=$True,

ValueFromPipeline=$True,

ValueFromPipelineByPropertyName=$True,

HelpMessage='Supply the csvData object')]

$csvData

)

begin {

}

process {

write-verbose "Beginning process loop"

foreach ($row in $csvData)

{

$logid=[GUID]::NewGUID()

Get-LogSite -AdminAddress $controllerAddress

Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Add Administrator Scope `'$($row.scopeName)`'"

try{

New-AdminScope -AdminAddress $controllerAddress -LoggingId $logid -Name $($row.scopeName)

#Add delivery group to Scope

if(!([string]::IsNullOrWhiteSpace($($row.deliveryGroup)))){

Write-Verbose "DeliveryGroupName is not null, empty, or whitespace"

Add-BrokerScope -AdminAddress $controllerAddress -DesktopGroup $($row.deliveryGroup) -InputObject @($($row.scopeName)) -LoggingId $logid

}

$createdScope=Get-AdminScope -AdminAddress $controllerAddress -name $($row.scopeName)

#Add HypConnection to scope

if(!([string]::IsNullOrWhiteSpace($($row.HypConnection)))){

Write-Verbose "ScopeName is not null, empty, or whitespace"

$hypconUID=$($(Get-BrokerHypervisorConnection $row.HypConnection).HypHypervisorConnectionUid)

Add-HypHypervisorConnectionScope -AdminAddress $controllerAddress -HypervisorConnectionUid $hypconUID -Scope $($createdScope).id

}

#Add machine catalog to Scope

if(!([string]::IsNullOrWhiteSpace($($row.MachineCatalog)))){

Write-Verbose "MachineCatalog is not null, empty, or whitespace"

Get-BrokerCatalog -AdminAddress $controllerAddress -Name $($row.MachineCatalog)

Add-BrokerScope -AdminAddress $controllerAddress -Catalog $($row.MachineCatalog) -InputObject @($row.MachineCatalog) -LoggingId $logid

}

$tryResult=$true

}

catch { $tryResult=$false}

Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logid -IsSuccessful $tryResult

}

}

}

To use these functions, we require CSV data. The CSVs require all fields specified in the function comments. In order to obtain the permission names, I suggest you manually create the role with the desired permissions, then click the “Citrix Studio” node, find the Powershell tab, then copy the permissions from that tab. It will save a significant amount of time.

Finally, we need to call these functions. Here we will populate the path to our CSV sheets.

#Now that we've defined the functions, specify our data and actually call them

$controllerAddress="XDController.contoso.local:80"

$roleCsv=import-csv "C:\temp\roleList.csv"

$scopeList=import-csv "C:\temp\scopeList.csv"

$roleScopeMatrix=import-csv "C:\temp\roleScopeMatrix.csv"

CreateXAXDRoles $roleCsv

CreateXAXDScopes $scopeList

CreateXAXDAdministrators $roleScopeMatrix

Repeat this on each additional XenApp and XenDesktop site you need to, or combine with other methods. You can create delegated administration in mere moments!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.