Citrix Virtual Apps and Desktops SDK

New-AcctADAccount

Creates Active Directory (AD) computer accounts in the specified identity pool.

Syntax


New-AcctADAccount [-IdentityPoolName] <String> -Count <Int32> [-StartCount <Int32>] [-ADUserName <String>] [-ADPassword <SecureString>] [-Parallelism <Int32>] [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

New-AcctADAccount [-IdentityPoolName] <String> -ADAccountName <String[]> [-ADUserName <String>] [-ADPassword <SecureString>] [-Parallelism <Int32>] [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

New-AcctADAccount -IdentityPoolUid <Guid> -Count <Int32> [-StartCount <Int32>] [-ADUserName <String>] [-ADPassword <SecureString>] [-Parallelism <Int32>] [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

New-AcctADAccount -IdentityPoolUid <Guid> -ADAccountName <String[]> [-ADUserName <String>] [-ADPassword <SecureString>] [-Parallelism <Int32>] [-LoggingId <Guid>] [-BearerToken <String>] [-TraceParent <String>] [-TraceState <String>] [-VirtualSiteId <String>] [-AdminAddress <String>] [<CommonParameters>]

<!--NeedCopy-->

Detailed Description

Provides the ability to create new Active Directory (AD) computer accounts and register them in an already existing identity pool.

The accounts are created using the information stored in the identity pool. This provides the account name (via the Naming Scheme property and Start Count), domain, and OU.

The user performing the operation in PowerShell must have sufficient privileges in AD to create the new computer accounts. If the current user does not have sufficient privileges, the ADUserName and ADPassword parameters may be used instead.

The AD account names will pad the index to use all the space specified in the identity pool naming scheme (e.g. “acc###” will become “acc001”). However, if the index overflows the available space the cmdlet expands the format to use the next incremental number (e.g. “acc###” will become “acc1000” if the index is 10000, which cannot fit into the three ‘#’ placeholders). If this expanded name exceeds the 15 character name limit, the accounts are not created.

There can be only one creation process running for a specific identity pool at any one time. Attempting to start another account creation process while an existing one is executing results in an error being returned.

Parameters

Name Description Required? Pipeline Input Default Value
IdentityPoolName The name of the identity pool in which accounts will be created. true false  
Count The number of accounts to create. true false  
ADAccountName The AD account names to be created. These are just the simple machine account names (e.g. MyVM001). true false  
IdentityPoolUid The unique identifier for the identity pool in which accounts will be created. true false  
StartCount The start index for the create process. false false  
ADUserName The username for an AD user account with Write Permissions. This parameter must be used if the current user does not have the necessary privileges. false false  
ADPassword The matching password for an AD user account with Write Permissions. This parameter must be used if the current user does not have the necessary privileges. false false  
Parallelism Gets or sets the maximum number of threads to create AD accounts in parallel. Range 1-60 with default of 20. false false 20
LoggingId Specifies the identifier of the high-level operation this cmdlet call forms a part of. Citrix Studio and Director typically create high-level operations. PowerShell scripts can also wrap a series of cmdlet calls in a high-level operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets. false false  
BearerToken Specifies the bearer token assigned to the calling user false false  
TraceParent Specifies the trace parent assigned for internal diagnostic tracing use false false  
TraceState Specifies the trace state assigned for internal diagnostic tracing use false false  
VirtualSiteId Specifies the virtual site the PowerShell snap-in will connect to. false false  
AdminAddress Specifies the address of a Citrix Virtual Apps and Desktops controller that the PowerShell snap-in connects to. You can provide this as a host name or an IP address. false false LocalHost. Once a value is provided by any cmdlet, this value becomes the default.

Input Type

Return Values

Citrix.Adidentity.Sdk.Accountoperationdetailedsummary

The Add-AcctADAccount returns an object that contains the following parameters;

  • SuccessfulAccountsCount <int> The number of accounts that were added successfully

  • FailedAccountsCount <int> The number of accounts that were not added.

  • FailedAccounts <Citrix.ADIdentity.Sdk.AccountError[]> The list of accounts that failed to be added. Each one has the following parameters;

  • ADAccountName <string>

  • ADAccountSid <String>

  • ErrorReason <string> This can be one of the following IdentityDuplicateObjectExists An identity with the same SID already exists. ADServiceDatabaseError An error occurred in the service while attempting a database operation. ADServiceDatabaseNotConfigured The operation could not be completed because the database for the service is not configured. ADServiceStatusInvalidDb An error occurred in the service while attempting a database operation - communication with the database failed for for various reasons. FailedToConnectToDomainController Contacting Active Directory failed. FailedToGetOrganizationUnitInAD Failed to access the OU in Active Directory. FailedToGetDefaultComputerContainerInAD Failed to access the default computers container in Active Directory. FailedToCreateComputerAccountInAD Failed to create the computer account in Active Directory. FailedToAccessComputerAccountInAD Failed to read the newly created computer account in Active Directory. FailedToGetSidFromAD Failed to get the SID for the created account from Active Directory. FailedToSetSamAccountNameInAD Failed to set the SAM account name in Active Directory for the account created. FailedToSetUserAccountControlInAD Failed to set the user account controller properties for the account created in Active Directory. FailedToSaveChangeInAD Failed to save the changes made to the created computer account in Active Directory. FailedToSetPasswordInAD Failed to set the password for the created computer account in Active Directory. FailedToEnableAccountInAD Failed to enable the newly created computer account in Active Directory. ComputerNameAlreadyInUseInAD The computer name for the computer to create is in use in Active Directory. FailedToGetDistinguishedNameInAD Failed to get the distinguished name for the created computer account in ActiveDirectory. FailedToSetDnsHostNameInAD Failed to set the Dns Host Name property for the created computer account in ActiveDirectory. FailedToSetDisplayNameInAD Failed to set the DisplayName property for the created computer account in ActiveDirectory. FailedToWriteServicePrincipalNameInAD Failed to set the ServicePrincipalName property for the created computer account in ActiveDirectory.

  • DiagnosticInformtion <Exception> Any other error information

  • SuccessfulAccounts <Citrix.ADIdentity.Sdk.Identity[]> The list of accounts that were successfully added. Each object provides details of the identity and contains the following information:

  • ADAccountGuid <GUID> The unique identifier for the account.

  • ADAccountName <string> The name of the account.

  • ADAccountSid <string> The SID for the account.

  • AccountDisabled <bool> Whether or not the account is disabled in AD.

  • AccountLocked <bool> Whether or not the account is locked in AD.

  • Domain <string> The domain for the account.

  • DomainControllerHint <string> The base 64 encoded hint for the domain controller location.

  • Lock <bool> Whether or not the account is locked (in the database, not AD).

  • State <string> The state for the account. This can be: Available The account is not used. InUse The account is in use. Error The account is in error (i.e. the account is locked or disabled in AD). Tainted The account is no longer used, but the password is no longer known.

  • TenantId <GUID> The identity of the tenant associated with this account.

  • DeviceManagementType <string> The device management type. New accounts will have the same ‘DeviceManagementType’ as the identity pool.

  • IdentityType <string> The identity type. New accounts will have the same ‘IdentityType’ as the identity pool.

  • VdaHostId <GUID> The ID of the VDA associated with this account.

  • WorkgroupMachine <bool> Whether or not the account is a workgroup account (not domain-joined).

  • TrustServiceInstanceId <string> The trust service ID of the machine.

Notes

In the case of failure, the following errors can result.

  • NamingSchemeNotSpecifiedForIdentityPool: No naming scheme is defined in the specified identity pool.

  • IdentityPoolObjectNotFound: The specified identity pool was not located.

  • IdentityPoolAlreadyLocked: The specified identity pool is locked.

  • PermissionDenied: The user does not have administrative rights to perform this operation.

  • ConfigurationLoggingError: The operation could not be performed because of a configuration logging error

  • DatabaseError: An error occurred in the service while attempting a database operation.

  • DatabaseNotConfigured: The operation could not be completed because the database for the service is not configured.

  • ServiceStatusInvalidDb: An error occurred in the service while attempting a database operation - communication with the database failed for various reasons.

  • CommunicationError: An error occurred while communicating with the service.

  • ExceptionThrown: An unexpected error occurred. To locate more details, see the Windows event logs on the controller being used or examine the Citrix Virtual Apps and Desktops logs.

Examples

Example 1


c:\PS>New-AcctADAccount -IdentityPoolName MyPool -Count 2 -OutVariable result

          SuccessfulAccounts                SuccessfulAccountsCount       FailedAccountsCount    FailedAccounts

          ------------------                -----------------------       -------------------    --------------

          {MyDomain\ACC001, MyDomain\ACC002} 2                            0                      {}

          c:\PS>$result[0].SuccessfulAccounts

          ADAccountGuid          : a33f54f8-4944-4537-93c9-a04f0b889378

          ADAccountName          : MyDomain\ACC001

          ADAccountSid           : S-1-5-21-1315084875-1285793635-2418178940-2684

          AccountDisabled        : False

          AccountLocked          : False

          Domain                 : MyDomain.com

          DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==

          Lock                   : False

          State                  : Available

          TenantId               :

          DeviceManagementType   : None

          IdentityType           : ActiveDirectory

          VdaHostId              : ee3ec984-3f1b-41ed-aee7-38754692e829

          WorkgroupMachine       : False

          TrustServiceInstanceId : ee3ec984-3f1b-41ed-aee7-38754692e829-S-1-5-21-1315084875-1285793635-2418178940-2684

          ADAccountGuid          : 16c62c01-42d0-4180-91c3-3e02b5a3e860

          ADAccountName          : MyDomain\ACC002

          ADAccountSid           : S-1-5-21-1315084875-1285793635-2418178940-2685

          AccountDisabled        : False

          AccountLocked          : False

          Domain                 : MyDomain.com

          DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==

          Lock                   : False

          State                  : Available

          TenantId               :

          DeviceManagementType   : None

          IdentityType           : ActiveDirectory

          VdaHostId              : 8ca4ee0c-00bf-4e05-8605-c3ee7fe053c3

          WorkgroupMachine       : False

          TrustServiceInstanceId : 8ca4ee0c-00bf-4e05-8605-c3ee7fe053c3-S-1-5-21-1315084875-1285793635-2418178940-2685

<!--NeedCopy-->

Description

Creates two new AD accounts and registers them in the identity pool called “MyPool”.

Example 2


c:\PS>New-AcctADAccount -IdentityPoolName MyPool -Count 2 -StartCount 50 -OutVariable result

          SuccessfulAccounts                SuccessfulAccountsCount       FailedAccountsCount    FailedAccounts

          ------------------                -----------------------       -------------------    --------------

          {MyDomain\ACC050, MyDomain\ACC051} 2                            0                      {}

          c:\PS>$result[0].SuccessfulAccounts

          ADAccountGuid          : fed20f3b-d1ec-4f8e-9681-197de9522bfd

          ADAccountName          : MyDomain\ACC050

          ADAccountSid           : S-1-5-21-1315084875-1285793635-2418178940-2686

          AccountDisabled        : False

          AccountLocked          : False

          Domain                 : MyDomain.com

          DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==

          Lock                   : False

          State                  : Available

          TenantId               :

          DeviceManagementType   : None

          IdentityType           : ActiveDirectory

          VdaHostId              : 1772a527-33e6-4da4-8a3a-d98e13c1d156

          WorkgroupMachine       : False

          TrustServiceInstanceId : 1772a527-33e6-4da4-8a3a-d98e13c1d156-S-1-5-21-1315084875-1285793635-2418178940-2686

          ADAccountGuid          : 86b3b360-e21f-4bb2-8e36-e236598fd51a

          ADAccountName          : MyDomain\ACC051

          ADAccountSid           : S-1-5-21-1315084875-1285793635-2418178940-2687

          AccountDisabled        : False

          AccountLocked          : False

          Domain                 : MyDomain.com

          DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==

          Lock                   : False

          State                  : Available

          TenantId               :

          DeviceManagementType   : None

          IdentityType           : ActiveDirectory

          VdaHostId              : 0185a831-493f-4656-9126-9a29188c8213

          WorkgroupMachine       : False

          TrustServiceInstanceId : 0185a831-493f-4656-9126-9a29188c8213-S-1-5-21-1315084875-1285793635-2418178940-2687

<!--NeedCopy-->

Description

Creates two new AD accounts and registers them in the identity pool called “MyPool”, starting from an index of 50.

New-AcctADAccount