-
Understanding the Citrix Virtual Apps and Desktops Administration Model
-
-
about_AcctADIdentitySnapIn
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
about_AcctADIdentitySnapIn
Topic
about_AcctADIdentitySnapin
Short Description
The Active Directory Identity Service PowerShell snap-in provides administrative functions for the Active Directory Identity Service.
Command Prefix
All commands in this snap-in have the noun prefixed with ‘Acct’.
Long Description
The Active Directory Identity Service PowerShell snap-in enables both local and remote administration of the Active Directory Identity Service. It provides facilities to store details about Active Directory computer accounts that the Machine Creation Service can use.
The snap-in provides two main entities:
Identity A representation of an Active Directory computer account that reflects the state of the account within the context of the Machine Creation Service. When an account is created by or imported into the Active Directory Identity Service, the account password is stored. Once the account is consumed by the Machine Creation Service, the password is discarded. For accounts registered with the Active Directory Identity Service, identities hold the following additional state information.
Available The Active Directory account is registered with the service, the password for the account is known, and the account is available to be consumed by another service. Accounts that are successfully created with the New-AcctADAccount command or imported using the Add-ADAccount command are initially assigned this state.
InUse The Active Directory account is registered and has been consumed by another service. The password for the account is no longer known to the service.
Error The Active Directory account is registered, but is missing, disabled, or locked within Active Directory. Accounts that are not successfully created with the New-AcctADAccount command or imported using the Add-ADAccount command appear in this state. Use the Update-AcctADAccount and Repair-AcctADAccount commands to resolve issues with accounts in this state.
Tainted The Active Directory account is registered and has been released by all the consuming services, but cannot be made available for use as the password is no longer known. Use the Repair-AcctADAccount command to reset account passwords and restore the account state to ‘Available’.
Identities can also be marked as ‘Locked’ by the Machine Creation Service to indicate that they are in use and must not be changed. These services are also responsible for unlocking the Active Directory accounts when they no longer require exclusive access. In some cases, an account may remain locked if a task is unexpectedly stopped. Use the Unlock-AcctADAccount command to manually unlock the account if necessary.
Identity Pool Containers for identities that can be configured with all the information required for new Active Directory accounts to be created. Alternatively, identity pools can be populated by importing accounts that already exist in Active Directory. All accounts registered with the Active Directory Identity Service must be placed into one of these containers. An identity can belong to more than one identity pool, but the state of the identity cannot be different in each pool. For example, an identity that is in use will be marked ‘InUse’ in all the identity pools of which it is part.
To avoid conflicting changes, identity pools can also be marked as ‘Locked’ during operations that modify the content of a pool. These operations are also responsible for unlocking the identity pool. In some cases, a pool may remain locked if a task is unexpectedly stopped. Use the Unlock-AcctIdentityPool command to manually unlock the pool if necessary.
Active Directory Permissions
Certain commands provided by the Active Directory Identity Service PowerShell snap-in require permissions for Active Directory operations. By default, the user account executing the command will be used to check for permissions. Active Directory credentials for an account with permissions may also be specified using the -ADUsername and -ADPassword parameters if necessary.
Account Creation (using the New-AcctADAccount command) To use PowerShell to create new Active Directory accounts, the command must be run using an account with sufficient permissions in the required Active Directory container (specified by the identity pool organizational unit parameter) for accounts to be created.
Import Accounts (using the Add-AcctADAccount command) There are two modes for this operation: situations where the Active Directory account passwords are known and situations where the passwords are not known.
If the account passwords are known, the accounts can be imported without the need for administrative permissions in Active Directory. The accounts are imported and the password provided is used to change the existing password.
If the passwords are not known, the command must be run using an account that has permissions to reset the password for the accounts.
Account Removal (using the Remove-AcctADAccount command) By default, the Remove-AcctADAccount command will only remove accounts from the AD Identity Service database without needing permissions to modify Active Directory accounts.
An optional parameter ‘RemovalOption’ can be set to modify the Active Directory accounts. If set to ‘Disable’ or ‘Delete’, the command must be run with sufficient permissions to disable or delete the account from Active Directory.
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.