A common configuration change that you might need to make on a XenDesktop farm is to change which users/groups are assigned to which desktop groups. For example, a new employee is hired, they need a virtual desktop, so you need to add their Active Directory account to an existing desktop group. Alternatively, you can add their Active Directory account to an Active Directory group, and then add the Active Directory group to the desktop group if it’s not already present.

This blog will cover how to add Active Directory users and groups to a desktop group using a PowerShell script. This script will have a similar structure to the script on adding new virtual desktops to a desktop group explained in the previous blog.

This is the seventh blog in a series on how to use the XenDesktop 4 PowerShell SDK. In the first blog, I provided info on how to set up your XenDesktop PowerShell environment so that you could run these scripts. If you haven’t done that yet, please visit that article first. For a complete list of topics that I will be covering in this blog series, see the bottom of this article.

Script Goals
The goal of the script is pretty simple – to add an Active Directory user and group to an existing desktop group. The process for doing them both is almost identical, so I will show how to do both within the same script.

The screen shot below shows the current users that I have configured for a desktop group called “Windows XP”. We are going to add a new user called “CITRIXLAB\User2” and a new group called “CITRIXLAB\XenDesktop Users” to this desktop group as part of the PowerShell script.

PowerShell script for adding Active Directory users and groups to a desktop group
The sample script below demonstrates how to add Active Directory users and groups to a desktop group.

#********************************************************************
#Add an Active Directory user/group to an existing desktop group
#********************************************************************

#Add the XenDesktop snap-in to the current Powershell session
Add-PSSnapin <span class="code-quote">"XdCommands"</span>

#Set up variables <span class="code-keyword">for</span> the script
$strDDCAddress = <span class="code-quote">"10.10.10.56"</span>
$strDesktopGroupName = <span class="code-quote">"Windows XP"</span>
$strUserAccountName = <span class="code-quote">"CITRIXLAB\User2"</span>
$strUserGroupName = <span class="code-quote">"CITRIXLAB\XenDesktop Users"</span>

#Get a particular desktop group
$xdgroup = Get-XdDesktopGroup -Name $strDesktopGroupName -AdminAddress $strDDCAddress -HostingDetails

#Get the AD user that you want to add.  This user needs to exist within Active Directory.
$xduser1 = New-XdUser -Name $strUserAccountName

#Get the AD group that you want to add.  This group needs to exist within Active Directory.
$xduser2 = New-XdUser -Name $strUserGroupName -Group

#Add the AD user and group to the desktop group
$xdgroup.Users.Add($xduser1)
$xdgroup.Users.Add($xduser2)

#Apply the change to the DDC
Set-XdDesktopGroup $xdgroup

#Verify the update
echo $xdgroup.Users

After executing the script, you can open the Delivery Services Console and verify that the users and groups have been added to the desktop group:

Analyzing the PowerShell Script
This PowerShell script is among the simpler ones that we’ve seen within this blog series. This one starts out like many of the others. You use the Get-XdDesktopGroup cmdlet to get a reference to the desktop group.

You then use the New-XdUser cmdlet to get a reference to the Active Directory user or group that you want to add to the desktop group. There’s a couple things to notice about this cmdlet. First, the difference between requesting a user account or group is the use of the -Group flag. Second, for this cmdlet to successfully execute, the user or group specified needs to exist within Active Directory. If the cmdlet can’t find that account, it’ll report an error as such. So if you run this command and it goes through without error, you’ll know right away that the cmdlet worked properly. Feel free to also echo the $xduser1 or $xduser2 variable to verify that it worked.

Next, use the Add() method of the $xdgroup.Users collection to add the Active Directory user/group to the desktop group. Finally, use the Set-XdDesktopGroup cmdlet to commit the change back to the Desktop Delivery Controller (DDC).

If you have been following this blog series from the beginning, you may have started noticing the pattern on how to make updates to the XenDesktop settings via PowerShell.
(1) Get a reference to the XenDesktop object that you are looking to update (XdDesktopGroup in this example to update a desktop group setting).
(2) Update the properties of the XenDesktop object (the Users collection in this example to add new users/groups to the desktop group)
(3) Commit the change back to the Desktop Delivery Controller by using the appropriate set cmdlet (Set-XdDesktopGroup in this example for updating the desktop group settings)
(4) Verify the update worked properly by echoing the XenDesktop object setting that was updated, or by viewing the configuration within the XenDesktop Delivery Services Console.

Wrap-up
This article explains how to add a new Active Directory user or group to an existing XenDesktop desktop group via PowerShell. This might be a common action as part of the on-boarding process for new company employees. Similarly, as employees leave the company a similar script can be used to remove Active Directory users/groups from the desktop group. Just use the Remove() method of the $xdgroup.Users collection to remove users/groups from the desktop group.

In the next blog, we will look at using PowerShell to shut down and restart a virtual desktop session. Stay tuned!

Upcoming TechTalk
I will be leading a TechTalk with Mike Bogobowicz on Essentials for using Windows PowerShell with XenApp and XenDesktop on Tuesday, August 24 from 2pm to 3pm EST. If you interesting in learning more about these SDKs first hand and want to see the demos in action, you can sign up here. Feel free to also check out Mike’s blog on XenApp 6 PowerShell scripting here. We hope to see you at the TechTalk!

Blogs in this series

Ed York – Senior Architect – Worldwide Technical Readiness
Ask-the-Architect Site: http://community.citrix.com/p/product-automation#home
Follow Me on twitter: http://twitter.com/citrixedy