Citrix Daas SDK

Repair-AcctADAccount

Resets the Active Directory (AD) password for the given accounts.

Syntax

Repair-AcctADAccount
      [-Password <String>]
      [-SecurePassword <SecureString>]
      [-ADUserName <String>]
      [-ADPassword <SecureString>]
      [-Force]
      [-ResetOnly]
      [-UseServiceAccount]
      [-LoggingId <Guid>]
      [<CitrixCommonParameters>]
      [<CommonParameters>]
<!--NeedCopy-->
Repair-AcctADAccount
      -ADAccountName <String[]>
      [-Password <String>]
      [-SecurePassword <SecureString>]
      [-ADUserName <String>]
      [-ADPassword <SecureString>]
      [-Force]
      [-ResetOnly]
      [-UseServiceAccount]
      [-LoggingId <Guid>]
      [<CitrixCommonParameters>]
      [<CommonParameters>]
<!--NeedCopy-->
Repair-AcctADAccount
      -ADAccountSid <String[]>
      [-Password <String>]
      [-SecurePassword <SecureString>]
      [-ADUserName <String>]
      [-ADPassword <SecureString>]
      [-Force]
      [-ResetOnly]
      [-UseServiceAccount]
      [-LoggingId <Guid>]
      [<CitrixCommonParameters>]
      [<CommonParameters>]
<!--NeedCopy-->

Description

This provides the ability to repair accounts in the ‘Tainted’ state by synchronizing the account password stored in Active Directory (AD) with the password stored in the AD Identity Service. If successful, this results in the account state being reset to ‘Available’ so it can be consumed by other Machine Creation Services.

If the current account password is not supplied using the Password or SecurePassword Parameters, this requires the user who initiated the runspace to have the required permissions in AD to reset the AD account password. If the current user does not have sufficient privileges, the ADUserName and ADPassword parameters may be used instead.

If the current account password is supplied then this command will use the password change operation which does not require any elevated permissions in AD.

Examples

EXAMPLE 1

Repairs the tainted accounts account and account2. After the repair operation, there are no more tainted accounts.

Get-AcctADAccount -State Tainted | Select-Object ADAccountName

ADAccountName
-------------
Domain\account
Domain\account2

Repair-AcctADAccount -ADAccountName "Domain\account","Domain\account2"

SuccessfulAccountsCount       FailedAccountsCount    FailedAccounts
-----------------------       -------------------    --------------
                      2                         0    {}

Get-AcctADAccount -State Tainted
<!--NeedCopy-->

Parameters

-ADAccountName

The names of the AD accounts that are to be repaired. AD accounts are accepted in the following formats: Fully qualified DN e.g. CN=MyComputer,OU=Computers,DC=MyDomain,DC=Com; UPN format e.g MyComputer@MyDomain.Com; Domain qualified e.g MyDomain\MyComputer.

Type: String[]
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-ADAccountSid

The SID(s) of the accounts that are to be repaired.

Type: String[]
Position: Named
Default value: None
Required: True
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False

-Password

The current password for the computer account.

Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-SecurePassword

The current password for the account (provided in a Secure String class).

Type: SecureString
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-ADUserName

The username for an AD user account with Write Permissions. This parameter must be used if the current user does not have the necessary privileges.

Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-ADPassword

The matching password for an AD user account with Write Permissions. This parameter must be used if the current user does not have the necessary privileges.

Type: SecureString
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-Force

Indicates whether accounts that are marked as ‘in-use’ can be repaired or not.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-ResetOnly

Indicates whether only resetting machine password and trust keys without updating the states to ‘Available’ if the accounts that are marked as ‘InUse’. This parameter will be sliently ignored by the accounts which states are not ‘InUse’.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-UseServiceAccount

Use the service account of IdentityPool which the account belongs to to repair AD account.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-LoggingId

Specifies the identifier of the high-level operation this cmdlet call forms a part of. Citrix Studio and Director typically create high-level operations. PowerShell scripts can also wrap a series of cmdlet calls in a high-level operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets.

Type: Guid
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

CitrixCommonParameters

This cmdlet supports the common Citrix parameters: -AdminAddress, -AdminClientIP, -BearerToken, -TraceParent, -TraceState and -VirtualSiteId. For more information, see about_CitrixCommonParameters.

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

You can’t pipe objects to this cmdlet.

Outputs

Citrix.ADIdentity.Sdk.AccountOperationSummary

The Repair-AcctADAccout command returns an object with the following parameters: SuccessfulAccountsCount <int>

The number of accounts that were repaired successfully.

FailedAccountsCount <int>

The number of accounts that were not repaired.

FailedAccounts <Citrix.ADIdentity.Sdk.AccountError[]>

The list of accounts that failed to be repaired. Each one has the following parameters:

ADAccountName <string>

ADAccountSid <String>

ErrorReason <ADIdentityStatus>

This can be one of the following

UnableToConvertDomain

IdentityNotLocatedInDomain

IdentityNotFound

IdentityObjectInUse

IdentityObjectLocked

ADServiceDatabaseError

ADServiceDatabaseNotConfigured

ADServiceStatusInvalidDb

FailedToConnectToDomainController

FailedToExecuteSearchInAD

FailedToAccessComputerAccountInAD

FailedToSetPasswordInAD

FailedToChangePasswordInAD

DiagnosticInformtion <Exception>

Any other error information

Notes

In the case of failure, the following errors can result.

Error Codes


PermissionDenied

The user does not have administrative rights to perform this operation.

ConfigurationLoggingError

The operation could not be performed because of a configuration logging error

DatabaseError

An error occurred in the service while attempting a database operation.

DatabaseNotConfigured

The operation could not be completed because the database for the service is not configured.

ServiceStatusInvalidDb

An error occurred in the service while attempting a database operation - communication with database failed for various reasons.

CommunicationError

An error occurred while communicating with the service.

ExceptionThrown

An unexpected error occurred. To locate more details, see the Windows event logs on the controller being used or examine the Citrix Virtual Apps and Desktops logs.

Repair-AcctADAccount