As demonstrated in one of my previous posts for XenDesktop 5.6:
Using PowerCLI to create new role and assign service account used by Citrix XenDesktop 5.6 permissions for vCenter Server 5.1
https://blog.terenceluk.com/2013/04/using-powercli-to-create-new-role-and_9.html
… you can use PowerCLI to create, configure and assign the role required for the XenDesktop service account to access vCenter. This post serves as an update for Citrix XenDesktop and XenApp 7.x environments.
The permissions required for the service account that XenDesktop / XenApp uses to connect to vSphere vCenter can be found at the following URL:
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-install-prep-host-vmware.html
The following are the permissions to set for the role if this was to be done manually:
Datastore
- Allocate Space
- Browse Datastore
- Low level file operations
Global
- Manage custom attributes
- Set custom attribute
Network
- Assign Network
Resource
- Assign virtual machine to resource pool
Tasks
- Create task
Virtual Machine > Configuration
- Add or remove device
- Add existing disk
- Add new disk
- Advanced
- Change CPU Count
- Memory
- Remove disk
- Change resource
- Settings
Virtual Machine > Interaction
- Power Off
- Power On
- Reset
- Suspend
Virtual Machine > Inventory
- Create from existing
- Create new
- Register
- Remove
Virtual Machine > Provisioning
- Allow disk access
- Allow virtual machine download
- Allow virtual machine files upload
- Clone virtual machine
- Deploy template
- Mark as virtual machine
Virtual Machine > Snapshot Management
- Create snapshot
- Remove Snapshot
- Revert Snapshot
The cmdlet to execute to automatically create a role named XenApp Service and assign the permissions as displayed in the screenshots above are as follows:
$priv = Get-VIPrivilege -ID
Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Network.Assign,Resource.AssignVMToPool,Task.Create,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Resource,VirtualMachine.Config.Settings,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Register,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.MarkAsVM,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RevertToSnapshot,Global.ManageCustomFields,Global.SetCustomField
New-VIRole -Name “XenApp Service” -Privilege $priv
With the role created, you can execute the following cmdlet to assign the domain service account to the vCenter object (top most level):
$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal “NetBIOSdomainNamesvc_XenDesktop” -Role “XenDesktop Service” -Propagate:$true
$rootFolder = Get-Folder -NoRecursion
Note that the cmdlets above were tested with Citrix XenDesktop 7.6 and vCenter 5.1.0 Build 1364037.
