Developer Documentation
Citrix Virtual Apps and Desktops 2411 SDK
Current Release 2402 2311 2305 2303 2212 2209 2206 2203 2112 2109 2103 1912
View PDF

New-AcctIdentity

December 4, 2024
Contributed by: 
C

Introduced in: Citrix Virtual Apps and Desktop 7 2411

Creates identity accounts in the specified identity pool.

Syntax

New-AcctIdentity
   -IdentityPoolUid <Guid>
   -Count <Int32>
   [-StartCount <Int32>]
   [-PrivilegedUserName <String>]
   [-PrivilegedUserPassword <SecureString>]
   [-Parallelism <Int32>]
   [-UseServiceAccount]
   [-LoggingId <Guid>]
   [<CitrixCommonParameters>]
   [<CommonParameters>]
<!--NeedCopy-->

New-AcctIdentity
   [-IdentityPoolName] <String>
   -Count <Int32>
   [-StartCount <Int32>]
   [-PrivilegedUserName <String>]
   [-PrivilegedUserPassword <SecureString>]
   [-Parallelism <Int32>]
   [-UseServiceAccount]
   [-LoggingId <Guid>]
   [<CitrixCommonParameters>]
   [<CommonParameters>]
<!--NeedCopy-->

New-AcctIdentity
   -IdentityPoolUid <Guid>
   -IdentityAccountName <String[]>
   [-PrivilegedUserName <String>]
   [-PrivilegedUserPassword <SecureString>]
   [-Parallelism <Int32>]
   [-UseServiceAccount]
   [-LoggingId <Guid>]
   [<CitrixCommonParameters>]
   [<CommonParameters>]
<!--NeedCopy-->

New-AcctIdentity
   [-IdentityPoolName] <String>
   -IdentityAccountName <String[]>
   [-PrivilegedUserName <String>]
   [-PrivilegedUserPassword <SecureString>]
   [-Parallelism <Int32>]
   [-UseServiceAccount]
   [-LoggingId <Guid>]
   [<CitrixCommonParameters>]
   [<CommonParameters>]
<!--NeedCopy-->

Description

Provides the ability to create new identity computer accounts and register them in an already existing identity pool.

The accounts are created using the information stored in the identity pool. This provides the account name (via the Naming Scheme property and Start Count), domain, and OU.

To create new identity accounts in an Active Directory or Hybrid Azure AD based identity pool, the user performing the operation in PowerShell must have sufficient permissions in AD to create new computer accounts. If the current user does not have permissions, the PrivilegedUserName and PrivilegedUserPassword parameters can be used to provide credentials for a user with permissions.

The identity account names will pad the index to use all the space specified in the identity pool naming scheme (e.g., “acc###” will become “acc001”). However, if the index overflows the available space, the cmdlet expands the format to use the next incremental number (e.g., “acc###” will become “acc1000” if the index is 1000, which cannot fit into the three ‘#’ placeholders). If this expanded name exceeds the 15 character name limit, the accounts are not created.

There can be only one creation process running for a specific identity pool at any one time. Attempting to start another account creation process while an existing one is executing will return an error.

Examples

EXAMPLE 1

Creates two new Identity accounts and registers them in the identity pool called “MyPool”.

New-AcctIdentity -IdentityPoolName MyPool -Count 2 -OutVariable result

  SuccessfulAccounts                SuccessfulAccountsCount       FailedAccountsCount    FailedAccounts
  ------------------                -----------------------       -------------------    --------------
  {MyDomain\ACC001, MyDomain\ACC002} 2                            0                      {}

  PS C:\> $result[0].SuccessfulAccounts

  IdentityAccountGuid    : a33f54f8-4944-4537-93c9-a04f0b889378
  IdentityAccountName    : MyDomain\ACC001
  IdentityAccountId      : S-1-5-21-1315084875-1285793635-2418178940-2684
  AccountDisabled        : False
  AccountLocked          : False
  Domain                 : MyDomain.com
  DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==
  Lock                   : False
  State                  : Available
  TenantId               :
  DeviceManagementType   : None
  IdentityType           : ActiveDirectory
  VdaHostId              : ee3ec984-3f1b-41ed-aee7-38754692e829
  WorkgroupMachine       : False
  TrustServiceInstanceId : ee3ec984-3f1b-41ed-aee7-38754692e829-S-1-5-21-1315084875-1285793635-2418178940-2684

  IdentityAccountGuid    : 16c62c01-42d0-4180-91c3-3e02b5a3e860
  IdentityAccountName    : MyDomain\ACC002
  IdentityAccountId      : S-1-5-21-1315084875-1285793635-2418178940-2685
  AccountDisabled        : False
  AccountLocked          : False
  Domain                 : MyDomain.com
  DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==
  Lock                   : False
  State                  : Available
  TenantId               :
  DeviceManagementType   : None
  IdentityType           : ActiveDirectory
  VdaHostId              : 8ca4ee0c-00bf-4e05-8605-c3ee7fe053c3
  WorkgroupMachine       : False
  TrustServiceInstanceId : 8ca4ee0c-00bf-4e05-8605-c3ee7fe053c3-S-1-5-21-1315084875-1285793635-2418178940-2685
<!--NeedCopy-->

EXAMPLE 2

Creates two new Identity accounts and registers them in the identity pool called “MyPool”, starting from an index of 50.

New-AcctIdentity -IdentityPoolName MyPool -Count 2 -StartCount 50 -OutVariable result

SuccessfulAccounts                SuccessfulAccountsCount       FailedAccountsCount    FailedAccounts
------------------                -----------------------       -------------------    --------------
{MyDomain\ACC050, MyDomain\ACC051} 2                            0                      {}

$result[0].SuccessfulAccounts

  IdentityAccountGuid    : fed20f3b-d1ec-4f8e-9681-197de9522bfd
  IdentityAccountName    : MyDomain\ACC050
  IdentityAccountId      : S-1-5-21-1315084875-1285793635-2418178940-2686
  AccountDisabled        : False
  AccountLocked          : False
  Domain                 : MyDomain.com
  DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==
  Lock                   : False
  State                  : Available
  TenantId               :
  DeviceManagementType   : None
  IdentityType           : ActiveDirectory
  VdaHostId              : 1772a527-33e6-4da4-8a3a-d98e13c1d156
  WorkgroupMachine       : False
  TrustServiceInstanceId : 1772a527-33e6-4da4-8a3a-d98e13c1d156-S-1-5-21-1315084875-1285793635-2418178940-2686

  IdentityAccountGuid    : 86b3b360-e21f-4bb2-8e36-e236598fd51a
  IdentityAccountName    : MyDomain\ACC051
  IdentityAccountId      : S-1-5-21-1315084875-1285793635-2418178940-2687
  AccountDisabled        : False
  AccountLocked          : False
  Domain                 : MyDomain.com
  DomainControllerHint   : v2_ZGMubXlkb21haW4uY29tOjU5ZTlkMjhkLWY0NmItNDM0YS05N2MyLTk5NWRhOWUxMjBkNw==
  Lock                   : False
  State                  : Available
  TenantId               :
  DeviceManagementType   : None
  IdentityType           : ActiveDirectory
  VdaHostId              : 0185a831-493f-4656-9126-9a29188c8213
  WorkgroupMachine       : False
  TrustServiceInstanceId : 0185a831-493f-4656-9126-9a29188c8213-S-1-5-21-1315084875-1285793635-2418178940-2687
<!--NeedCopy-->

Parameters

-Count

The number of accounts to create.

Type: Int32
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-IdentityAccountName

The Identity account names to be created. These are just the simple machine account names (e.g., MyVM001).

Type: String[]
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-IdentityPoolUid

The unique identifier for the identity pool in which accounts will be created.

Type: Guid
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False

-IdentityPoolName

The name of the identity pool in which accounts will be created.

Type: String
Position: 2
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
Length range: 1 to 64

-StartCount

The start index for the create process.

Type: Int32
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-PrivilegedUserName

The username for an user account in the identity provider (e.g., AD or Azure AD) with Write Permissions. This parameter must be used if the current user does not have the necessary privileges to create accounts in identity provider.

Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-PrivilegedUserPassword

The matching password for an user account in the identity provider (e.g., AD or Azure AD) with Write Permissions. This parameter must be used if the current user does not have the necessary privileges to create accounts in identity provider.

Type: SecureString
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-Parallelism

Gets or sets the maximum number of threads to create AD accounts in parallel. Range 1-60 with default of 20.

Type: Int32
Position: Named
Default value: 20
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-UseServiceAccount

Use the IdentityPool’s service account to create AD accounts.

Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

-LoggingId

Specifies the identifier of the high-level operation this cmdlet call forms a part of. Citrix Studio and Director typically create high-level operations. PowerShell scripts can also wrap a series of cmdlet calls in a high-level operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets.

Type: Guid
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False

CitrixCommonParameters

This cmdlet supports the common Citrix parameters: -AdminAddress, -AdminClientIP, -BearerToken, -TraceParent, -TraceState and -VirtualSiteId. For more information, see about_CitrixCommonParameters.

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

You can’t pipe objects to this cmdlet.

Outputs

Citrix.ADIdentity.Sdk.CommonAccountOperationDetailedSummary

The New-AcctIdentity returns an object that contains the following properties:

  • SuccessfulAccountsCount <int>

    The number of accounts that were added successfully

  • FailedAccountsCount <int>

    The number of accounts that were not added.

  • FailedAccounts <Citrix.XDPowerShell.AccountError[]>

    The list of accounts that failed to be added. Each one has the following properties:

    • IdentityAccountName <string>
    • IdentityAccountId <String>

    • ErrorReason <ADIdentityStatus>

      This can be one of the following:

      • IdentityDuplicateObjectExists

        An identity with the same SID already exists.

      • ADServiceDatabaseError

        An error occurred in the service while attempting a database operation.

      • ADServiceDatabaseNotConfigured

        The operation could not be completed because the database for the service is not configured.

      • ADServiceStatusInvalidDb

        An error occurred in the service while attempting a database operation - communication with the database failed for for various reasons.

      • FailedToConnectToDomainController

        Contacting Active Directory failed.

      • FailedToGetOrganizationUnitInAD

        Failed to access the OU in Active Directory.

      • FailedToGetDefaultComputerContainerInAD

        Failed to access the default computers container in Active Directory.

      • FailedToCreateComputerAccountInAD

        Failed to create the computer account in Active Directory.

      • FailedToAccessComputerAccountInAD

        Failed to read the newly created computer account in Active Directory.

      • FailedToGetSidFromAD

        Failed to get the SID for the created account from Active Directory.

      • FailedToSetSamAccountNameInAD

        Failed to set the SAM account name in Active Directory for the account created.

      • FailedToSetUserAccountControlInAD

        Failed to set the user account controller properties for the account created in Active Directory.

      • FailedToSaveChangeInAD

        Failed to save the changes made to the created computer account in Active Directory.

      • FailedToSetPasswordInAD

        Failed to set the password for the created computer account in Active Directory.

      • FailedToEnableAccountInAD

        Failed to enable the newly created computer account in Active Directory.

      • ComputerNameAlreadyInUseInAD

        The computer name for the computer to create is in use in Active Directory.

      • FailedToGetDistinguishedNameInAD

        Failed to get the distinguished name for the created computer account in ActiveDirectory.

      • FailedToSetDnsHostNameInAD

        Failed to set the Dns Host Name property for the created computer account in ActiveDirectory.

      • FailedToSetDisplayNameInAD

        Failed to set the DisplayName property for the created computer account in ActiveDirectory.

      • FailedToWriteServicePrincipalNameInAD

        Failed to set the ServicePrincipalName property for the created computer account in ActiveDirectory.

    • DiagnosticInformtion <Exception>

      Any other error information

  • SuccessfulAccounts <Citrix.ADIdentity.Sdk.Identity[]>

    The list of accounts that were successfully added. Each one has the following properties:

    • IdentityAccountGuid <Guid>

      The unique identifier for the account.

    • IdentityAccountName <string>

      The name of the account.

    • IdentityAccountId <string>

      The ID for the account.

    • AccountDisabled <bool>

      Whether or not the account is disabled in AD.

    • AccountLocked <bool>

      Whether or not the account is locked in AD.

    • Domain <string>

      The domain for the account.

    • DomainControllerHint <string>

    • Lock <bool>

      Whether or not the account is locked (in the database, not AD).

    • State <Citrix.ADIdentity.Sdk.ADIdentityState>

      The state for the account. This can be:

      • Available

        The account is not used.

      • InUse

        The account is in use.

      • Error

        The account is in error (i.e. the account is locked or disabled in AD).

      • Tainted

        The account is no longer used, but the password is no longer known.

    • TenantId <Guid>

      The identity of the tenant associated with this account.

    • DeviceManagementType <string>

      The device management type.

    • IdentityType <string>

      The identity type.

    • VdaHostId <Guid>

      The ID of the VDA associated with this account.

    • WorkgroupMachine <bool>

      Whether or not the account is a workgroup account (not domain-joined).

    • TrustServiceInstanceId <string>

      The trust service ID of the machine.

Notes

In the case of failure the following errors can result:

  • NamingSchemeNotSpecifiedForIdentityPool

    No naming scheme is defined in the specified identity pool.

  • IdentityPoolObjectNotFound

    The specified identity pool was not located.

  • IdentityPoolAlreadyLocked

    The specified identity pool is locked.

  • PermissionDenied

    The user does not have administrative rights to perform this operation.

  • ConfigurationLoggingError

    The operation could not be performed because of a configuration logging error

  • DatabaseError

    An error occurred in the service while attempting a database operation.

  • DatabaseNotConfigured

    The operation could not be completed because the database for the service is not configured.

  • ServiceStatusInvalidDb

    An error occurred in the service while attempting a database operation - communication with the database failed for various reasons.

  • CommunicationError

    An error occurred while communicating with the service.

  • ExceptionThrown

    An unexpected error occurred. To locate more details, see the Windows event logs on the controller being used or examine the Citrix Virtual Apps and Desktops logs.

New-AcctIdentity
December 4, 2024
Contributed by: 
C
December 4, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.