Scripted Creation of XenApp and XenDesktop Admin Scopes and Roles

Datetime:2016-08-23 04:09:28          Topic:          Share

Often times it is necessary to set up multiple identical sites. One key tenant in enabling efficient IT delivery today is having automation. As administrators, you must find the balance between the need to automate and the deadline for delivery. To that end, rather than focusing on an end-to-end automated site install (where others have done an excellent job at that!) I wanted to focus on an often overlooked but valuable feature of XenApp and XenDesktop 7.x – Roles and Scopes.

By default, XenApp and XenDesktop 7.x come with a number of pre-defined roles that are fairly functional – Read Only, Help Desk Administrator, Full Administrator, Host Administrator, and Machine Catalog Administrator. Most Citrix Admins I know generally receive Full Administrator and provide Help Desk Administrator to their users. However, there is one default in that role that can be problematic in the wrong hands: Reset profile. To that end, I like to create a slightly more “restricted” Help Desk role that removes this singular permission. Additionally, in Director, the Help Desk Administrator cannot see Trends, Dashboard, or Filters. For that, we will create an “Operator” role.

First, a function to create the roles.

function CreateXAXDRoles {
 
<#
 
.SYNOPSIS
 
CreateRolesfromCSV
 
.DESCRIPTION
 
CreateXenDesktoprolesbasedon a mappingfromCSVValues. TheCSVHeadershouldcontainRoleName,Permissions,description
 
Permissionsshouldbecolon (:) separated
 
.EXAMPLE
 
CreateXDAdministrators -csvData (import-csv C:\temp\roles.csv)
 
.PARAMETERcsvData
 
CSVDatafromImport-CSV
 
CSVFormat
 
COMPANYHelpDeskAdministrator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_MachineDetails_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator, without Reset Profile or Reset VDisk)"
 
COMPANYOperator,AppDNA_Read:DesktopGroup_ChangeMachineMaintenanceMode:DesktopGroup_PowerOperations_VDI:DesktopGroup_SessionManagement:Applications_Read:DesktopGroup_Read:Director_KillApplication:Director_KillProcess:Director_ShadowSession:Director_ResetVDisk:UPM_Reset_Profiles:Director_HelpDesk_Read:Director_ClientHelpDesk_Read:Director_ClientDetails_Read:Director_Dashboard_Read:Director_SliceAndDice_Read:Director_MachineDetails_Read:Director_Trends_Read:Director_UserDetails_Read:EdgeServer_Read:Zone_Read,"Can view Delivery Groups, and manage the sessions and machines associated with those groups. (copy of Help Desk Administrator with Trends, Filters, and Dashboard enabled)"
 
.LINK
 
http://www.atumvirt.com
 
#>
 
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
 
param
 
(
 
[Parameter(Mandatory=$True,
 
ValueFromPipeline=$True,
 
ValueFromPipelineByPropertyName=$True,
 
HelpMessage='Supply the csvData object')]
 
$csvData
 
)
 
begin {
 
}
 
process {
 
write-verbose "Beginning process loop"
 
foreach ($rowin $csvData)
 
{
 
Write-Verbose "Processing $($row.ADGroupName)"
 
$logId=[GUID]::NewGUID()
 
Get-LogSite -AdminAddress $controllerAddress
 
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create role `'$($row.RoleName)`'"
 
try {
 
New-AdminRole -AdminAddress $controllerAddress -Description $($row.RoleDescription) -LoggingId $logId -Name $($row.RoleName)
 
$permissions=$row.permissions.split(":")
 
Add-AdminPermission -AdminAddress $controllerAddress -LoggingId $logId -Permission $permissions -Role $($row.RoleName)
 
$tryResult=$true
 
}
 
catch {
 
$tryResult=$false
 
}
 
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult
 
# Script completed successfully
 
}
 
}
 
}

Next, a function to create the Administrators themselves.

function CreateXAXDAdministrators {
 
<#
 
.SYNOPSIS
 
CreateAdministratorsfromCSV
 
.DESCRIPTION
 
CreateXenDesktopadministratorsbasedon a mappingfromCSVValues. TheCSVHeadershouldcontainADGroupName,RoleName,Scope.
 
.EXAMPLE
 
CreateXDAdministrators -csvData (import-csv C:\temp\roleScopeMatrix.csv)
 
.PARAMETERcsvData
 
CSVDatafromImport-CSV
 
CSVFormat
 
contoso\CitrixLevel1,ReadOnly,All
 
contoso\CitrixLevel2,COMPANYHelpDeskAdministrator,All
 
contoso\CitrixLevel3,COMPANYOperator,All
 
contoso\CitrixLevel4,FullAdministrator,All
 
contoso\CitrixSeattle1,ReadOnly,Seattle
 
contoso\CitrixSeattle2,COMPANYHelpDeskAdministrator,Seattle
 
contoso\CitrixSeattle3,COMPANYOperator,Seattle
 
.LINK
 
http://www.atumvirt.com
 
#>
 
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
 
param
 
(
 
[Parameter(Mandatory=$True,
 
ValueFromPipeline=$True,
 
ValueFromPipelineByPropertyName=$True,
 
HelpMessage='Supply the csvData object')]
 
$csvData
 
)
 
begin {
 
}
 
process {
 
write-verbose "Beginning process loop"
 
foreach ($rowin $csvData)
 
{
 
Write-Verbose "Processing $($row.ADGroupName)"
 
$logId=[GUID]::NewGUID()
 
Get-LogSite -AdminAddress $controllerAddress
 
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Create Administrator `'$($row.ADGroupName)`'"
 
try {
 
New-AdminAdministrator -AdminAddress $controllerAddress -Enabled $True -LoggingId $logId -Name "$($row.ADGroupName)"
 
Add-AdminRight -AdminAddress $controllerAddress -Administrator "$($row.ADGroupName)" -LoggingId $logId -Role "$($row.Role)" -Scope $($row.Scope)
 
$tryResult=$true
 
}
 
catch {
 
$tryResult=$false
 
}
 
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logId -IsSuccessful $tryResult
 
# Script completed successfully
 
}
 
}
 
}

Finally, we create the scopes

function CreateXAXDScopes {
 
<#
 
.SYNOPSIS
 
CreateScopesfromCSV
 
.DESCRIPTION
 
CreateXenApp/XenDesktopscopesbasedon a mappingfromCSVValues. TheCSVHeadershouldcontainScopeName,MachineCatalog,DeliveryGroup,HypConnection
 
.EXAMPLE
 
CreateXDAdministrators -csvData (import-csv C:\temp\ScopeMatrix.csv)
 
.PARAMETERcsvData
 
CSVDatafromImport-CSV
 
CSVFormat
 
SeattleScope,MC_Seattle,DG_Seattle,Seattle_vCenter
 
PortlandScope,MC_Portland,DG_Portland,Portland_vCenter
 
.LINK
 
http://www.atumvirt.com
 
#>
 
[CmdletBinding(SupportsShouldProcess=$True,ConfirmImpact='Low')]
 
param
 
(
 
[Parameter(Mandatory=$True,
 
ValueFromPipeline=$True,
 
ValueFromPipelineByPropertyName=$True,
 
HelpMessage='Supply the csvData object')]
 
$csvData
 
)
 
begin {
 
}
 
process {
 
write-verbose "Beginning process loop"
 
foreach ($rowin $csvData)
 
{
 
$logid=[GUID]::NewGUID()
 
Get-LogSite -AdminAddress $controllerAddress
 
Start-LogHighLevelOperation -AdminAddress $controllerAddress -Source "Studio" -StartTime (get-date) -Text "Add Administrator Scope `'$($row.scopeName)`'"
 
try{
 
New-AdminScope -AdminAddress $controllerAddress -LoggingId $logid -Name $($row.scopeName)
 
#Add delivery group to Scope
 
if(!([string]::IsNullOrWhiteSpace($($row.deliveryGroup)))){
 
Write-Verbose "DeliveryGroupName is not null, empty, or whitespace"
 
Add-BrokerScope -AdminAddress $controllerAddress -DesktopGroup $($row.deliveryGroup) -InputObject @($($row.scopeName)) -LoggingId $logid
 
}
 
$createdScope=Get-AdminScope -AdminAddress $controllerAddress -name $($row.scopeName)
 
#Add HypConnection to scope
 
if(!([string]::IsNullOrWhiteSpace($($row.HypConnection)))){
 
Write-Verbose "ScopeName is not null, empty, or whitespace"
 
$hypconUID=$($(Get-BrokerHypervisorConnection $row.HypConnection).HypHypervisorConnectionUid)
 
Add-HypHypervisorConnectionScope -AdminAddress $controllerAddress -HypervisorConnectionUid $hypconUID -Scope $($createdScope).id
 
}
 
#Add machine catalog to Scope
 
if(!([string]::IsNullOrWhiteSpace($($row.MachineCatalog)))){
 
Write-Verbose "MachineCatalog is not null, empty, or whitespace"
 
Get-BrokerCatalog -AdminAddress $controllerAddress -Name $($row.MachineCatalog)
 
Add-BrokerScope -AdminAddress $controllerAddress -Catalog $($row.MachineCatalog) -InputObject @($row.MachineCatalog) -LoggingId $logid
 
}
 
$tryResult=$true
 
}
 
catch { $tryResult=$false}
 
Stop-LogHighLevelOperation -AdminAddress $controllerAddress -EndTime (get-date) -HighLevelOperationId $logid -IsSuccessful $tryResult
 
}
 
}
 
}

To use these functions, we require CSV data. The CSVs require all fields specified in the function comments. In order to obtain the permission names, I suggest you manually create the role with the desired permissions, then click the “Citrix Studio” node, find the Powershell tab, then copy the permissions from that tab. It will save a significant amount of time.

Finally, we need to call these functions. Here we will populate the path to our CSV sheets.

#Now that we’ve defined the functions, specify our data and actually call them

$controllerAddress=”XDController.contoso.local:80″

$roleCsv=import-csv “C:\temp\roleList.csv”

$scopeList=import-csv “C:\temp\scopeList.csv”

$roleScopeMatrix=import-csv “C:\temp\roleScopeMatrix.csv”

CreateXAXDRoles $roleCsv

CreateXAXDScopes $scopeList

CreateXAXDAdministrators $roleScopeMatrix

Repeat this on each additional XenApp and XenDesktop site you need to, or combine with other methods. You can create delegated administration in mere moments!