Did you ever want to fully automate your XenApp 6.5 farm? Did you manage an automated unattended installation or image, but you are struggling to automate farm configurations? Would you like to learn how to create and configure administrators for XenApp 6.5 with PowerShell? In this case, this article is just for you.
Automating Citrix consists of various components. You need to configure:
- Citrix administrators (explained in this article)
- Citrix worker groups
- Citrix user and computer policies
- Citrix load evaluators
| Note: see the article PowerShell Fundamentals if you are new to PowerShell or if you just want to refresh your memory. Especially important is the part about loading snap-ins and modules. Remember, the appropriate extensions need to be loaded before Citrix commands can be executed! |
Creating and configuring Citrix administrators using PowerShell
Citrix distinguishes three types of administrators:
- Full administrators;
- View only administrators;
- Custom administrators.
“Full” and “view only” administrators are the easiest to create because their security permissions are predefined and do not need further customizing. Use the following command lines to create a “full” and/or “view-only” administrator:
|
1 |
New-XAAdministrator "YourDomain\Citrix Admins" -AdministratorType Full |
|
1 |
New-XAAdministrator "YourDomain\Citrix Support" -AdministratorType ViewOnly |
Note: make sure that the necessary Active Directory security groups exist before creating Citrix administrators.
Creating a custom administrator is more complex than a “full” or “view-only” administrator since you have to specify each security permission. To add to the complexity; some settings can be configured when creating the custom administrator; other settings have to be configured afterward.
Example:
You want to create a custom Citrix administrator for one of the support departments. This custom administrator should be able to view most, but not all, items in the Citrix console. Additionally, the administrator has to be able to see all user sessions and perform basic tasks such as view sessions and log off users.
The first step is to create a new administrator and provide this administrator with the necessary farm permissions:
|
1 |
New-XAAdministrator "YourDomain\Citrix Support" -AdministratorType Custom -FarmPrivileges ViewFarm, ViewAdmins, LogOnConsole |
A second command line is necessary since the previous one does not add custom permissions to the “Servers” folder:
|
1 |
Add-XAAdministratorPrivilege "YourDomain\Citrix Support" -FolderPath Servers -FolderPrivileges ViewServers, ViewSessions, ConnectSessions, DisconnectSessions, LogOffSessions, ResetSessions, SendMessages, TerminateProcess |
To find out the exact names of each security permission you can check the Citrix PowerShell SDK or use the “Get-Help” function in PowerShell:
|
1 |
Get-Help New-XAAdministrator -full or Get-Help Add-XAAdministratorPrivilege -full |
Or, to make life even easier, you can simply check the two lists below which I have prepared for you.
FarmPrivileges:
- ViewFarm
- EditZone
- EditConfigurationLog
- EditFarmOther
- ViewAdmins
- LogOnConsole
- LogOnWIConsole
- ViewLoadEvaluators
- AssignLoadEvaluators
- EditLoadEvaluators
- ViewLoadBalancingPolicies
- EditLoadBalancingPolicies
- ViewPrinterDrivers
- ReplicatePrinterDrivers
FolderPrivileges:
- ViewApplications
- EditApplications
- TerminateProcessApplication
- AssignApplicationsToServers
- ViewServers
- EditOtherServerSettings
- RemoveServer
- TerminateProcess
- ViewSessions
- ConnectSessions
- DisconnectSessions
- LogOffSessions
- ResetSessions
- SendMessages
- ViewWorkerGroups
- AssignApplicationsToWorkerGroups
A professional (PowerShell) script needs more than a single line of code of course. In a professional script, you need to:
- Add comments (e.g. script name, author, date, and purpose of the script);
- Load the Citrix cmdlets;
- Check if the administrator(s) exist;
- Create the administrator(s) when needed;
- Log actions and results.
Below is an example of such as script.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
#========================================================================== # CREATE AND CONFIGURE CITRIX ADMINISTRATORS # # AUTHOR: Dennis Span (https://dennisspan.com) # DATE : 20.11.2013 # Scripting language: PowerShell (v.2.0) # # COMMENT: This script creates and configures the three types of # Citrix administrators; Full, ViewOnly and Custom #========================================================================== # Logging: # "-" = comment # "I" = information # "S" = success (action successful) # "E" = error (action unsuccessful) # Set the error action preference to "stop" to ensure that the try and catch statements work for non-terminal errors $ErrorActionPreference = "Stop" # ================================================= # Configure variables $Domain = $env:UserDomain # Define the environment variable UserDomain # ================================================= # ================================================= # Load all Citrix cmdlets # ================================================= Add-PSSnapin citrix* # ================================================= # Task 1 of 3: Create a full administrator # ================================================= $Administrator = "$Domain\FullAdmins" Write-Host ("I - Create the full administrator $($Administrator.ToUpper()) (if not exists)") try { # Check if the administrator exists Get-XAAdministrator $Administrator | Out-Null Write-Host ("I - The administrator already exists") } catch { Write-Host ("I - The administrator does not exist") Write-Host ("I - Creating the administrator...") try { # Create the administrator New-XAAdministrator $Administrator -AdministratorType Full | Out-Null Write-Host ("S - The administrator $($Administrator.ToUpper()) has been created successfully") } catch { Write-Host ("E - Creating the administrator $($Administrator.ToUpper()) ended in an error") } } Write-Host ("") # ================================================= # Task 2 of 3: Create a view-only administrator # ================================================= $Administrator = "$Domain\ViewOnlyAdmins" Write-Host ("I - Create the view-only administrator $($Administrator.ToUpper()) (if not exists)") try { # Check if the administrator exists Get-XAAdministrator $Administrator | Out-Null Write-Host ("I - The administrator already exists") } catch { Write-Host ("I - The administrator does not exist") Write-Host ("I - Creating the administrator...") try { # Create the administrator New-XAAdministrator $Administrator -AdministratorType ViewOnly | Out-Null Write-Host ("S - The administrator $($Administrator.ToUpper()) has been created successfully") } catch { Write-Host ("E - Creating the administrator $($Administrator.ToUpper()) ended in an error") } } Write-Host ("") # ================================================= # Task 3 of 3: Create a custom administrator # ================================================= $Administrator = "$Domain\CustomAdmins" Write-Host ("I - Create the custom administrator $($Administrator.ToUpper()) (if not exists)") try { # Check if the administrator exists Get-XAAdministrator $Administrator | Out-Null Write-Host ("I - The administrator already exists") } catch { Write-Host ("I - The administrator does not exist") Write-Host ("I - Creating the administrator...") try { # Create the administrator New-XAAdministrator $Administrator -AdministratorType Custom -FarmPrivileges ViewFarm, ViewAdmins, LogOnConsole | Out-Null Write-Host ("S - The administrator $($Administrator.ToUpper()) has been created successfully") Write-Host ("S - Grant additional privileges to the administrator $($Administrator.ToUpper())") try { # Add additional privileges to the administrator Add-XAAdministratorPrivilege $Administrator -FolderPath Servers -FolderPrivileges ViewServers, ViewSessions, ConnectSessions, DisconnectSessions, LogOffSessions, ResetSessions, SendMessages, TerminateProcess | Out-Null Write-Host ("S - Additional privileges were added successfully to the administrator $($Administrator.ToUpper())") } catch { Write-Host ("E - Adding additional privilees to the administrator $($Administrator.ToUpper()) ended in an error") } } catch { Write-Host ("E - Creating the administrator $($Administrator.ToUpper()) ended in an error") } } |
Related articles:
- Automating XenApp 6.5 Part 2 of 4 – Citrix Worker Groups
- Automating XenApp 6.5 Part 3 of 4 – Citrix Policies
- Automating XenApp 6.5 Part 4 of 4 – Citrix Load Evaluators
- PowerShell “one-liners” for Citrix XenApp 6.x
Dennis Span works as a Lead Account Technology Strategist at Cloud Software Group in Vienna, Austria. He holds multiple Citrix certifications (CCE-V). Dennis has been a Citrix Technology Advocate (CTA) since 2017 (+ one year as Citrix Technology Professional, CTP). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.
Pingback: Automating XenApp 6.5 Part 4 of 4 - Citrix Load Evaluators - Dennisspan.com
Pingback: Automating XenApp 6.5 Part 2 of 4 - Citrix Worker Groups - Dennisspan.com