Exclude a User or Group from a Citrix Delivery Group

I recently needed to find a way to exclude a group of users from a delivery group that was assigned to “Domain Users” without having to change who the group was targeting.  To do this, we will leverage a set of commands in the XenApp and XenDesktop PowerShell SDK.

In this scenario, a legacy delivery group is assigned to “Domain Users”.  We then want to assign a new delivery group to specific user groups during the migration without having to change the legacy groups assignment, all while removing the legacy desktop icon from the groups that are migrated.  This is where the “ExcludedUsers” parameter come in play.  See the examples below that illustrate how this works.

The user “test1” is only part of the “AllUsers” and “Domain Users” groups

The delivery group “XS Server 2016 PVS” is targeted for “Domain Users”

Another view of the delivery group showing the user restriction

StoreFront displays the desktop

From the delivery controller, run the >Get-BrokerAccessPolicyRule -DesktopGroupName “XS Server 2016 PVS”
to verify the exclusion is not currently set

Set the exclusion for the AD group “Server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUserFilterEnabled $True
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUsers “shilllabs\server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUserFilterEnabled $True
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUsers “shilllabs\server2016”

From the delivery controller, run the >Get-BrokerAccessPolicyRule -DesktopGroupName “XS Server 2016 PVS”
to verify the exclusion now currently set for the AD group “Server2016”

After this value is set from the CLI, the GUI will display the message below since this cannot be configured via GUI at this time

Add the test1 user to the “Server2016” group

Logging into StoreFront again shows that the user no longer has access to the desktop

 

The settings can be reversed with the following commands
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -ExcludedUserFilterEnabled $False
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_Direct” -RemoveExcludedUsers “shilllabs\server2016”
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -ExcludedUserFilterEnabled $False
>Set-BrokerAccessPolicyRule -name “XS Server 2016 PVS_AG” -RemoveExcludedUsers “shilllabs\server2016”

 

Read more information on these SDK commands here:

https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/latest/Broker/Get-BrokerAccessPolicyRule/

https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/latest/Broker/Set-BrokerAccessPolicyRule/

 

Hope you found this helpful and thanks for reading.
-Shane

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s