Mar 162015
 

UPDATE:  I found trying to run this script through the Netscaler Gateway failed due to differences in the web pages.  I re-wrote the script so it will work internal directly to StoreFront, and externally with Netscaler Gateway.  The main caveat is that the wficalib.dll doesn’t allow you to logoff the session when going through the gateway.  I simply set it to look for any wfica32 processes prior to launching the application/desktop, compare that to the processes after launch, and kill the new process (disconnecting the session).  The script identifies the webpage as a gateway if */vpn/* is in the path.  I also set it to logoff of the Storefront/Gateway page when it ends the script.  If you were to run it back to back without logging off of the page it wouldn’t find what it is looking for initially and fail (because you’d probably already be logged on).  I may re-write this in the future with more functions to make it a bit shorter/cleaner, but as is it should work.
NOTE: I tested this with Netscaler 10.5… it may not work with previous versions as is, but if you read the script you should be able to figure out what needs to be changed.

I need to give credit to this Citrix blog post for getting me started.  This script will launch an application or desktop as a user you specify from the StoreFront web page, then send you an email to let you know if it was successful or not.

Variables you should edit:

In the send-results function
$smtpserver (line 19)
$msg.From (line 28)
$msg.to.Add (line 29)

In the main script (be sure to read the comments)
$username (line 84)
$passstring (line 86)
$resource (line 92)
$mask (line 94)
$wait (line 96)
$internetexplorer.visible (line 98)
$internetexplorer.navigate2 (line 99)

Requirements:
Powershell (x86)! – otherwise you cannot tie into the x86 dll for Receiver
(If you are going to the Netscaler Gateway it doesn’t matter which version as we won’t tie into the dll in that case)

Add the following to the registry if you are pointing to the internal StoreFront url – if you are pointing to the Netscaler Gateway it won’t matter
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\CCM]
“AllowLiveMonitoring”=dword:00000001
“AllowSimulationAPI”=dword:00000001

If you are running on an x86 machine change the registry path to exclude Wow6432Node, and change the path of the .dll on line 156 of the script to the correct path of the wficalib.dll.

Here is the script!

Contact me in in the channel David62277

Oct 312014
 

I have seen where PVS targets (mainly Desktop OS) will fail to activate via KMS after booting, and/or not get the proper group policy settings.  I think this is because PVS hasn’t released the network when Windows is trying to activate/update gpo (or something along those lines).  On top of this in my environment I have PvD and Random desktops booting off of the same vdisk image.  To fix this I created the script below, and setup a scheduled task to run at startup (using SYSTEM account).

Note: Using this script you can do a lot more than just slmgr /ato and gpupdate /force commands.  For instance if you have an antivirus service that you just want to start if the vdisk is in standard mode… you could just add a “start-service” command (of course you’d want that service to be set to manual).  Feel free to edit however it suits your environment.

Steps to implement:

  1. Start a maintenance version of your vdisk
  2. Logon to that desktop/server
  3. Open powershell_ise, or notepad
    1. Copy the script below and paste it
    2. Edit line 2 to be the FQDN of your domain
      Example: yourdomain.com
    3. Save it (remember where you saved it) – I just save mine to the root of C:\ to keep it simple
  4. Open Task Scheduler
    1. Right click on “Task Scheduler Library” and select “Create a Basic Task”
    2. Name your task and optionally add a description and click Next
    3. On the Task Trigger screen select “When the computer starts” and click Next
    4. On the Action screen click Next (Start a program should be selected by default)
    5. On the Start a Program Screen
      1. Type the path, or browse to powershell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
      2. in the Add arguments section:
        1. -executionpolicy unrestricted -file <path to the .ps1 file you just saved>
          Example: -executionpolicy unrestricted -file c:\startup.ps1
    6. Click Next
    7. Check “Open the Properties dialog for this task when I click Finish” and click Finish
    8. On the properties page click Change User or Group
      1. In the Select User or Group box type in “system” (no quotes) in the box and hit OK
      2. You should now see “NT AUTHORITY\SYSTEM” as the user account to run as
    9. Check the Run with highest privileges box, and click OK
  5. Perform any cleanup operations you typically do, run PvD inventory (if you use PvD), and shutdown the machine
  6. Place your vdisk into Test mode, and test away
  7. When satisfied set the vdisk to production


function startup {
while ((Test-Connection "fqdn of your domain ie: contoso.com" -count 1) -eq $null) {
Start-Sleep -Milliseconds 500
}
& cscript.exe c:\windows\system32\slmgr.vbs /ato
& gpupdate.exe /force
}
$p = gc c:\personality.ini
$r = (Get-ItemProperty registry::'HKLM\SOFTWARE\Citrix\personal vDisk\config').vhdmountpoint
if (($r -eq $null) -and (($p -like "*diskmode=p*") -or ($p -like "*writecachetype=0*"))) {
break
}
startup

Explanation of the script:

When executed it will get the content of c:\personality.ini and the value of REG_SZ vhdmountpoint.  If personality.ini contains diskmode=p or writecachetype=0 and vhdmountpoint value is blank/non-existent it will stop the script (this indicates the vdisk is in private or maintenance mode).

PvD – value of vhdmountpoint will not be blank, so even if for whatever reason the .ini file shows the disk in private/maintenance it will go on and run the function
Shared Random – value of vhdmountpoint will be blank, but the .ini should show diskmode=s and writecachetype=something other than 0 (depends on the mode), so it will also run the function.

If the break condition is not met (indicating the disk is in shared mode) then it will run the startup function.  This function tries to ping the fqdn of your domain 1 time.  If it gets a reply it will run the activation command, and gpupdate.  If it does not, it will wait half a second and try again… over and over until it gets a reply from the fqdn of your domain.

 

Sep 182014
 

I recently ran into an issue where Citrix Profile Manager was not catching all the files from a user installed Office Add-in. I found the path to the files and they were in %localappdata%\Apps\2.0. Even if I specifically added a policy to sync that folder it still did not get every file needed for the Add-in to work. After banging my head against the wall trying to get profile manager to handle it I decided to write a logoff script to “backup” that folder to the user’s home share at logoff, and a logon script to “restore” it at logon. That worked, but it delayed logon/logoff as those files were copied to/from the user profile.

On top of that issue, I also had the need to redirect Chrome and Firefox cache directories to user home shares as they were soon to be installed on our VDI image. Of course, you can do both without the script you are about to see (GPO in the case of Chrome, and an .ini file with Firefox). I just figured kill three birds with one stone.

The answer ended up being very simple. Junction points! For those of you who may not know a junction point (aka reparse point or symbolic link) is basically a shortcut that Windows treats as a folder. A normal shortcut to “\\server\share\path” on your desktop would show that path in the address bar if you clicked on it. A symbolic link would show C:\Users\<username>\Desktop\<name of the link>. This allows you to basically “redirect” a specific folder. For those of you who have a “crappy app” that points its data to %userprofile%\AppData\<path> instead of %AppData% and prevents you from redirecting AppData this may help you as well.

Now all I need is a logon script (powershell) to create these junction points.

Requirements for this script:
1. Users must have the “Create symbolic links” right (set in GPO)

2. Users must have a Home Folder (if they don’t you could simply rewrite the script to create a folder somewhere using $env:username in the path).

Detailed explanation of what this script does:
1. Sets the location to C:\ so when it calls cmd it won’t complain about the path (assuming the script is going to run from a network share)

2. Imports a .csv file with the information
This .csv file has headers “localpath”, “homepath”, and “LorR”
localpath = the folder within local or roaming appdata. If the path is down inside somewhere make sure you include the whole path. In my case I want to get %localappdata%\Apps\2.0, so the localpath would be “Apps\2.0”
homepath = the path in the users home directory where you want the files located. Same as localpath you don’t include the entire share path… just the path you want it to create inside the share.
LorR = local or roam – so the script knows where to put the junction points.

3. For each line in the .csv file calls a function that will:
a. Decide if the path is in local or roaming appdata (LorR)
b. Create the folder structure on the user’s home folder
c. Checks if the local folder already exists. If so, checks to see if it is already a junction (which it shouldn’t be). If the path is *2.0 (path to the Office Add-ins) it moves those files to the home folder, and creates the junction. If it is anything else it deletes the folder (would be user installed chrome/firefox cache directories), and creates the junction.

After running this at logon my user now shows this in %appdata%

If I open Mozilla it shows to be local, but it is actually pointing to my home folder

 

The only “issue” I have seen thus far is Chrome will warn that the cache is on a network share the first time it is launched.

Below is the powershell script. Feel free to edit it to fit your needs, and make sure you test thoroughly before implementing into any production environment.

http://pastebin.com/vALZ8y7Y

Jun 032014
 

I am in the process of building out a new XenApp environment for a customer, and was thinking… “It would be so nice to automate the ‘Configure and run discovery’ settings”. So how do you accomplish this? I know my service desk would appreciate it!

The answer is a custom “MMC”. Below are the steps to accomplish this.

 

Part 1: Create the custom MMC

  • Open up a 32bit MMC console (universally will work better and create less stress)
    • On 32 bit OS run “mmc”
    • On 64 bit OS run “mmc /32”

  •  Click File > Add/Remove Snap-in…

  •  Select the console you are going to push out to your users and add it to the “Selected snap-ins”
    • (In my case it is going to be AppCenter)

  •  Right Click on “XenApp”
    • Select “Configure and run discovery”

  •  Select the “Skip this screen in the future” box
    • Click Next

  •  Click on Add
    • For the server, I am going to pick my two XenApp Controllers
      • Depending on your setup, and where you are publishing this, you will need to pick the correct server(s)… (setting up a load balanced VIP on your NetScaler….  hmmm….)

  •  Click Next

  •  Check the box next to “Close this wizard when discovery is successful”

  •  Change the options of your new custom MMC console
    • Click on File > Options…

  •  In my case, I want to restrict access to areas of the tree
    • I am going to select “User mode – limited access, single window”

Below is an explanation of each option:

  • Author mode
    • Enables full customization of the snap-in console, including the ability to add or remove snap-ins, create new windows, create Favorites and taskpads, and access all the options of the Customize View and Options dialog boxes. Users creating a custom console file for themselves or others typically use this mode. The resulting snap-in console is usually saved in one of the user modes in this table.
  • User mode – full access
    • The same as author mode, except that users cannot add or remove snap-ins, change snap-in console options, create Favorites, or create taskpads.
  • User mode—limited access, multiple window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users can create new windows, but cannot close any existing windows.
  • User mode – limited access, single window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users cannot create new windows.

 

  •  Now we want to save our custom MMC
    • Click File > Save As…

  •  Save it where ever you would like. I am going to save mine to c:\custom mmc\AppCenter.mmc on each of my terminal servers.

 

 

Part 2: Publish the custom MMC

This section could be done a dozen different ways. I will show you how to publish out the mmc we just created as it being accessed directly from each server.

  • Select “Skip this screen in the future”
    • Click Next

  •  Enter in a Display name for your application
    • In my case I am using “Citrix AppCenter”

  •  Use the defaults
    • Application
      • Accessed from a server
        • Installed application

  •  Location to mmc.exe and the location of the custom mmc
    • Command Line:
      • c:\windows\system32\mmc.exe “c:\windows\system32\AppCenter.mmc”
    • Working directory:
      • c:\windows\system32
    • Click Next

  •  Click Add
    • Select the Servers or Worker Group that contains the servers you would like to publish out the mmc too.
      • Click Next

  •  Click Add
    • Add the users that need access to the mmc
      • Click Next

  •  Go to where your Citrix management console is installed (where the console is installed), and right click > properties
    • Then click on “Change Icon…”

  •  Copy out the location of the .ico

  • Go back to your application you are publishing and click “Chang icon…”

  • Click Browse
    • Input the location of the .ico file you just copied
      • Click OK

  •  Click Next

  •  Click Finish

You now have a management console that your admins will not have to configure for discovery!

May 302014
 

This will go over how to setup a single Access Gateway Vserver connecting to Multiple Domains using a single Pair of web interface servers.  This might sound confusing at first but in reality its pretty strait forward.  This article assumes that you already have some basic knowledge of how to setup netscaler and xenapp with WI in a single domain.

Environment  (LB is not required)

  1. Pair of Netscalers v10.1 in LB config.
  2. Pair of Web Interface 5.4 Servers with LB Vserver.
  3. Two AD Forests/Domains.
  4. A few STA servers (Doesn’t matter what domain they are on)
  5. A couple XA farms in Different domains (We are using XA6.5 and XA6)

Step 1

Configure the AD Polices on the NS.  There are many articles out there on how to do this.  The Top two in this list are my first domain and the 3rd one is the second domain.

 

Multidomain NS Step1

Step 2

Build your Vservers for WI and XML for each Domain.  It helps to have the xml servers for each farm on different ports to save IP address’s.  In this case I have three different farms specified.  The one on port 8888 and 8080 are on the same domain and the xml server setup on port 80 is the second domain.   I had to create a separate IP for the second domain as my WI vserver is also using port 80.  Again if you need help on how to build these their is plenty of articles out there on how to do it.

 

Multidomain Step2

Step 3.

Configure the AG Vserver to hit multple domains.  The NS will step through these in order of priority until it finds a matching username/password match.  If you have the same username/password combination on both domains it will always grab the one that has the lowest priority.  In this case the Top two Policies hit the first domain and the 3rd one hits the second domain.

 

MultiDomain Step3

Under the Published Applications Tab for the AG Vserver you need to configure some STA’s.  In my case I used the first domain/farm servers for STA’s.  I would make sure that all the STA’s belong to the same domain/farm.  You do not need to have a STA for each domain here.

 

MultiDomain STAs

Step 4.

On the WebInterface Servers configure a Xenapp site for Each Domain making sure to point to the XML Vserver’s created in Step2.  Make Sure you have each Site pointing back to the respective Vserver XML LB IP/port and configure it to point to your AG Vserver.   In this case the top Site is pointing to the Second Domain and the Second Site is pointing to the First domain.  For this it really doesn’t matter what domain

 

Multidomain WIConfig

 

For the Sta Config on the WI Servers I am using STA servers on the First domain even though the users are coming into the second domain.  All sites/domains should be setup with the same STA servers and they should match what your AG Vserver has configured for STA servers in Step 2.

MultiDomain WI_STA

Step 5.

Configure the AAA Policies and Profiles to hit the AG Vserver.  For this to work the AAA group name must match the AD group that the user is a member of.  In this Case the Second one down ASP_Access is my first Domain, and the one A_Access is the Second Domain.

MultiDomain Step4_1

Inside each AAA Group you have your Session policies that point to the specific URL/Domain.  Each Domain/AAA group should point back to a different Session policy

MultiDomain AAA_Config

Next we need to make sure the Session profile is pointed back to our WI Server site for that domain.  Make sure you have the corresponding  domain specified and the override global check boxes checked.  You will have to create one of these for each domain so that users from that domain hit the appropriate site.

MultiDomain AAA__ses_Profile

Step 6. Profit!!!

Once again if you have users that have the same username and password in multiple domains they will always get the lower priority domain.  If you have any questions feel free to jump on the channel and ask Splatone.

http://join.citrixirc.com

Patrick.

 

Jan 292014
 

 

I’m sure we are all familiar with the Shutdown Event Tracker. Hypervisor crash for “no reason”? Have a bunch of servers power down hard “by accident”? It happens to all of us. What’s annoying about this, specifically in a XenApp/RDS environment is the fact that when a regular user logs in they will see this message unless an administrator has already gone in and removed it.

Now, you could just remove it via GPO all together, but I’m not really a fan of that. I would think that this would be available for administrators only, and not regular users. The GPO supplied is a computer based GPO and does not allow that type of granularity. This is in Computer Configuration / Policies / System. As you can see it basically has no options for users.

Simple fix though. After about two seconds of troubleshooting I found that this tracker is controlled by c:\windows\system32\shutdown.exe. So, you could simply just take ownership of this file and remove users read access to this and that works fine. However, if you want to do this in some scale, you can setup a Software Restriction policy and apply it to your RDS/XenApp users. This is also pretty simple.

Drill down to User Configuration / Policies / Windows Settings / Software Restriction Policies. Go to Action and select “New Software Restriction Policy”.

This will create some new folders under Software Restriction Policies. Drill down to Additional Rules and right-click “New Path Rule”.

Simply type in the path and hit “ok”

Make sure this policy is applied only to non-admin users and not administrators. I have a large GPO that I apply to all regular users that access XenApp, so I simply applied it there. That’s about it. Now when your non-admin users’ login they will not be allowed to launch shutdown.exe, which in turn will stop the Shutdown Event Tracker from appearing.

You can validate this by running a command prompt as a regular user. They should be getting this message.

Have fun!

Jan 072014
 

I’m not going to go into the details about what Multi-Stream ICA (MSI) is in this article. I assume you already have a basic understanding of what this is and you are really just here to figure out how to configure it. If you do not, a great Citrix blog about Multi-Stream ICA has been written up here. In a nutshell Multi-Stream ICA allows you to break out different portions of Citrix traffic into dedicated TCP ports. The basic breakdown is below:

Enabling this on the Citrix side is pretty easy. We need to first enable Multi-Stream in a computer policy.

 

Then we need to setup the Multi-Port Policy. In this example I’m using 2599,2600,2601 for the other ports. The Default Port is the standard 2598 port for Session Reliability.

 

MSI requires Session Reliability to be enabled, so make sure you don’t have it disabled in a Computer Policy. I like to enable it so my other engineers know for a fact that it is enabled.

This takes care of the Citrix side. Not too much configuration there. The Cisco side gets a bit more involved. You do need to have a bit of knowledge on basic Cisco configuration and more specifically, an understanding of how QOS works, in general, and specifically how Cisco QOS works. Cisco has released an article here that talks in detail about how to implement MSI in a Cisco Enterprise environment. The Cisco document calls for mapping specific DiffServ classes to each MSI priority level. This is certainly the best practice when you want this to traverse a larger network with multiple hops. I’m going to post a simple example where you have Users—–RTR1—–RTR2—–Citrix. We will be using a 5Mbps Point to Point link between the 2 routers. In this setup we are going to define the ports, and assign bandwidth values to them.

First, you want to define the port groups. I will label these with Very High, High, Medium, Low (vh, h, m, l). All configurations need to be performed on both routers.

ip access-list extended citrix-vh
permit tcp any eq 2599 any
 
ip access-list extended citrix-h
permit tcp any eq 2598 any
 
ip access-list extended citrix-m
permit tcp any eq 2600 any
 
ip access-list extended citrix-l
permit tcp any eq 2601 any
 
Next we will define the Class-Maps.
 
class-map match-any citrix-vh
match access-group name citrix-vh
 
class-map match-any citrix-h
match access-group name citrix-h
 
class-map match-any citrix-m
match access-group name citrix-m
 
class-map match-any citrix-l
match access-group name citrix-l
 

Now that the variables are defined we move on to creating a queuing policy. Let’s assume we have 20 users. My main concern here is the “high” queue. At periods of congestion I want to make sure that the Screen/Keyboard/Mouse have enough bandwidth so users can continue to work and not have service degradation. Let’s say 20 users @ 50Kbps each = 1000Kbps. That’s about 25% of a 5 meg link, however we can give it a little wiggle room, so let’s bump that up to 35% (1.7Mbps). Keep in mind that this doesn’t LIMIT the bandwidth to 35%, it can use as much bandwidth as it wants until periods of congestion (link saturation) where it’s guaranteed the 35% of the bandwidth we configure. The medium and low queues which contain printing and file redirection aren’t as critical and I will set these to use 1Mbps during congestion (25%). Lastly, is the Very High queue. In my specific environments we don’t use too much audio, therefore I have set this to 15% of the link speed.

 

Keep in mind that your numbers and percentages will vary based on your use case and your amount of bandwidth available. Do you have a lot of users upload photos? Do you print a lot of large documents? Do you use a lot of real-time audio? You will need to evaluate your specific scenario and alter this example to fit your needs. You may also have existing QOS on your link and need to integrate this configuration. We have customers using SIP/RTP for voice on most of our links and I have integrated that into my configuration. I have removed that configuration for simplicities sake.

 

Here is the configuration for my policy map.

 
policy-map CITRIX-QUEUE
class citrix-vh
bandwidth percent 15
class citrix-h
bandwidth percent 35
class citrix-m
bandwidth percent 25
class citrix-l
bandwidth percent 25
class class-default
fair-queue
 

After this policy-map is configured we will need to embed this into a shaping policy to make sure the percentages line up with the available bandwidth. If you do not do this, QOS will assume the link speed of the interface which is generally 100/1000 Mbps. Obviously 25% of 100Mbps is more than the 5Mbps the link speed actually is. The below configuration will shape the bandwidth at the site to 4.9Mbps then apply the queue.

 
policy-map CITRIX-SHAPE
class class-default
shape average 4900000
service-policy CITRIX-QUEUE
 

After all is said and done you will need to apply this to the each end of the interface in an OUTBOUND direction.

 
interface FastEthernet4
service-policy output CITRIX-SHAPE
 

Make sure your configuration is working by doing a “show policy-map interface FastEthernet4”. The first example shows citrix-vh. You will want to make sure its incrementing packets under the “Match” area. You may see some drops (164), but this is normal. The second snip is class-default. If you have congestion on your link you will start to see drops on this class-map. In this example we have 143878 drops. This is a 5Mbps link and QOS is working great keeping non-critical traffic from starving my Citrix traffic.

 

Class-map: citrix-vh (match-any)
752287922 packets, 53798289807 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name citrix-vh
752287923 packets, 53798290067 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/164/0
(pkts output/bytes output) 752287754/53798175224
bandwidth 25% (1024 kbps)
 

Class-map: class-default (match-any)
315951400 packets, 75108131350 bytes
5 minute offered rate 94000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/143878/0/143878
(pkts output/bytes output) 315807520/74835090017
Fair-queue: per-flow queue limit 16
 

Hope this helps you in your Citrix Multi-Stream ICA configurations. This is a pretty basic setup, but I hope this points you in the right direction to get started using this cool newish feature. I hope to write up a blog later on how this integrates with CloudBridge and how to use MSI in conjunction with that.

Apr 162013
 

 

Why Windows didn’t enable this feature in the built in GPOs is beyond me. Regardless, I needed a way to disable Windows Defender automatic scans to keep my hundreds of XenApp servers from running a scan at 2am and most likely crushing my storage infrastructure. So, what am I talking about here? How to disable this:

As you can see, the default GPOs do nothing for us.

So, how does this actually work? Well, when you configure this automatic scan, it creates a scheduled task, and writes a file in C:\Windows\System32\Tasks\Microsoft\Windows Defender\

Now, you can just delete the MP Scheduled Scan file, but this doesn’t remove the configuration from Windows Defender, so that won’t work. After a small bit of digging I found these registry keys in HKLM\Software\Microsoft\Windows Defender\Scan

The key in question here is “ScheduleDay” 0 = daily, and 1=Sunday, 2=Monday, etc. 8=off. So. Simple GPP configuration here to set the key to 8.

Do a GPUpdate /force and Viola! It has been removed from Scheduled Tasks, the file is gone, and its configuration removed from the Windows Defender GUI.

 

Apr 032013
 

Today I got stuck publishing apps that had icons in the %windir%\System32\ folder on the XenApp server.  There are a couple ways around this but my personal favorite is to reference sysnative.

So lets say your trying to publish the TS Licensing Manager, the exe only sits in the 64 bit OS Path on 2008r2

%windir%\system32\licmgr.exe

You try and fix up the icon and you get

iconbrowser bad

So to fix this we change the path to

%windir%\sysNative\licmgr.exe

and we get the icon.

iconbrowser good

For more information check out the following links:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx

http://www.brianmadden.com/blogs/videos/archive/2012/02/16/lie-to-me-using-built-in-windows-system-filter-in-virtual-desktops_2C00_-a-video-from-BriForum-2011.aspx

Apr 032013
 

So I like to have a group that can run every and all published application so I can login and at least smoke test them.

Thats far to much clicking for me, so powershell to the rescue.

Add-PSSnapIn citrix.xenapp.commands

$Groups="Revord\Citrix_Admins"

Get-XAApplication | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

Those 3 lines gets Citrix_Admins into EVERY published application, not to shabby.

Lets take it a bit further, you need to add say multiple groups, but only to a folder of published applications..

No problem..

$Groups="Revord\Citrix_Admins","Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Utils" | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

So in my environment all my MMC’s etc are published in the Applications\Utils path for readability.

But wait, what was I thinking, giving domain users access to all my published utilities!

No problem we can use the same trick in reverse to rid ourselves of those extra accounts.

$Groups="Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Util-Servers" | foreach {Remove-XAApplicationAccount $_.BrowserName $Groups}

Now there is a neat glitch, if you run these powershell commands with a actively running AppCenter you’ll need to select applications and hit F5 to refresh and actually see your changes did take effect.

 

Enjoy!

Ryan