I recently needed to find a way to exclude a group of users from a delivery group that was assigned to “Domain Users” without having to change who the group was targeting. To do this, we will leverage a set of commands in the XenApp and XenDesktop PowerShell SDK.
In this scenario, a legacy delivery group is assigned to “Domain Users”. We then want to assign a new delivery group to specific user groups during the migration without having to change the legacy groups assignment, all while removing the legacy desktop icon from the groups that are migrated. This is where the “ExcludedUsers” parameter come in play. See the examples below that illustrate how this works.
The user “test1” is only part of the “AllUsers” and “Domain Users” groups
The delivery group “XS Server 2016 PVS” is targeted for “Domain Users”
Another view of the delivery group showing the user restriction
StoreFront displays the desktop
From the delivery controller, run the >Get-BrokerAccessPolicyRule -DesktopGroupName “XS Server 2016 PVS”
to verify the exclusion is not currently set
Set the exclusion for the AD group “Server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUserFilterEnabled $True
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUsers “shilllabs\server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUserFilterEnabled $True
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUsers “shilllabs\server2016”
From the delivery controller, run the >Get-BrokerAccessPolicyRule -DesktopGroupName “XS Server 2016 PVS”
to verify the exclusion now currently set for the AD group “Server2016”
After this value is set from the CLI, the GUI will display the message below since this cannot be configured via GUI at this time
Add the test1 user to the “Server2016” group
Logging into StoreFront again shows that the user no longer has access to the desktop
The settings can be reversed with the following commands
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUserFilterEnabled $False
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -RemoveExcludedUsers “shilllabs\server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUserFilterEnabled $False
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -RemoveExcludedUsers “shilllabs\server2016”
Read more information on these SDK commands here:
Hope you found this helpful and thanks for reading.
-Shane
shilllabs.com 