When administering a Citrix environment, it's common to have a large index of icons for users to access. This makes managing the system difficult and time-consuming. Especially if you have a large user base. Making use of PowerShell and leveraging the Citrix Virtual Apps and Desktops (CVAD) SDK is a great way to simplify management of a Citrix platform. In this blog will share a short script that will allow you to quickly see all the published applications with the Active Directory security groups and users attached to each.
It's best practice to utilize Active Directory security groups instead of naming users for each published resource within a Citrix environment. This allows a new user to be added to all the correct security groups and like magic, they will see all the correct icons. This is great for a large environment and makes it easy to add new users. But what happens in an environment with hundreds of icons with multiple groups on each icon? It can be hard to keep track of which security group is attached to each icon. This is where PowerShell and the CVAD SDK comes in. Instead of opening Citrix Studio and manually opening the visibility tab for each application, you can output a list of published applications and their respective security groups. This will help keep an inventory of the environment.
For example, imagine your environment only has three applications. Google Chrome, Paint, and Calculator. You'd need to know what users and security groups can access each published application.
There are a few viable solutions. One is to open each published application and write down the names and groups you see. Another is to ask everyone in your environment which applications they have access to. Lastly, you could save time and effort and with the click of a button, have a list presented to you for each published application.
This image below is an example output that takes seconds to run. You can easily see the security groups and the users for each published application and what is missing. For example, the Paint published application is missing a security group.
Now, this is not a groundbreaking achievement when you have three applications but imagine needing to retrieve this information for hundreds of applications. Especially if this is a recurring task such as regular audits of the environment. There are plenty of PowerShell possibilities for saving time when paired with the CVAD SDK. You can put a little effort up front to make the script to save you eons of time down the road.
Script Explanation
Line 1: When working with Citrix in PowerShell, you will need to “add-pssnapin Citrix*”. This imports all the needed Citrix commands that you'll use when accessing your Citrix Environment.
Line 3-5: Here we created the location and file name of the output that we will receive from the completion of the script. It's better to create a file vs. printing everything to console as it will be easier to read and use the data.
Lines 7-10: We created a simple list with the icons we wanted to check. This is quite easy for a few Icons, but cumbersome if you have a large environment with many icons. If we were to scale this up, there would be multiple ways of retrieving a list of icons without the need to manually put a list.
Line 13: This is the output that we will print to the CSV file.
Line 15-25: Finally, the meat and potatoes of this example script. Since we are using a list of icons, we can access them one at a time, print off the users for those icons, and add it to the final output. We can get the list of users for each icon using the “Get-BrokerApplication” Call.
Note, this section will retrieve all the groups and users attached to each icon. This sometimes can be too much information, or not specific enough. There is an easy solution and quite simple to edit the script to narrow down what is reported. For example, you might want to print out all the users who have a specific designator in their name. Let’s say that your environment names administrators by putting an “A_” in front of their ID (A_Wolfe for example). It wouldn't be hard to edit the script to only report users starting with “A_” thus letting you see what your Administrators have access to.
Line 27: Finally, you take the output and print it to the CSV file we designated in lines 3-5. Now you have an output with icons and the attached users/security groups.
Script
add-pssnapin citrix*
$FolderPath = "C:\Temp\"
$Filename = $Computer + "_Icon_Groups_" + (Get-Date -Format "yyyy-MM-dd_HHmm") + ".csv"
$PATH = $FolderPath + $Filename
$Icons = @(
"Google Chrome",
"Paint",
"Calculator"
)
$FinalAnswer =@()
foreach($icon in $Icons){
$ArrayOfNamesAndSecGroup = Get-BrokerApplication -Name $icon -MaxRecordCount 100000 | Select Name, AssociatedUserNames
$ArrayOfSecGroups = @()
foreach($name in $ArrayOfNamesAndSecGroup.AssociatedUserNames){
$ArrayOfSecGroups += " $name;"
}
$ArrayOfNamesAndSecGroup.AssociatedUserNames = "$ArrayOfSecGroups"
$FinalAnswer += $ArrayOfNamesAndSecGroup
}
$FinalAnswer | Select-Object -Property Name, AssociatedUserNames |Export-Csv -NoTypeInformation -Path $PATHStill have questions or want to discuss your Citrix environment Reach out to us at CDA. We’d love to discuss how we can help you with your automation needs!