Using PowerCLI to create new role and assign service account used by Citrix XenDesktop & XenApp 7.x service account permissions for vCenter Server 5.1 and 5.5

As demonstrated in one of my previous posts for XenDesktop 5.6:

Using PowerCLI to create new role and assign service account used by Citrix XenDesktop 5.6 permissions for vCenter Server 5.1

https://blog.terenceluk.com/2013/04/using-powercli-to-create-new-role-and_9.html

… you can use PowerCLI to create, configure and assign the role required for the XenDesktop service account to access vCenter. This post serves as an update for Citrix XenDesktop and XenApp 7.x environments.

The permissions required for the service account that XenDesktop / XenApp uses to connect to vSphere vCenter can be found at the following URL:

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-install-prep-host-vmware.html

image

The following are the permissions to set for the role if this was to be done manually:

image

Datastore

  • Allocate Space
  • Browse Datastore
  • Low level file operations

image

Global

  • Manage custom attributes
  • Set custom attribute

image

Network

  • Assign Network

image

Resource

  • Assign virtual machine to resource pool

image

Tasks

  • Create task

image

Virtual Machine > Configuration

  • Add or remove device
  • Add existing disk
  • Add new disk
  • Advanced
  • Change CPU Count
  • Memory
  • Remove disk
  • Change resource
  • Settings

imageimage

Virtual Machine > Interaction

  • Power Off
  • Power On
  • Reset
  • Suspend

imageimage

Virtual Machine > Inventory

  • Create from existing
  • Create new
  • Register
  • Remove

image

Virtual Machine > Provisioning

  • Allow disk access
  • Allow virtual machine download
  • Allow virtual machine files upload
  • Clone virtual machine
  • Deploy template
  • Mark as virtual machine

image

Virtual Machine > Snapshot Management

  • Create snapshot
  • Remove Snapshot
  • Revert Snapshot

image

The cmdlet to execute to automatically create a role named XenApp Service and assign the permissions as displayed in the screenshots above are as follows:

$priv = Get-VIPrivilege -ID

Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Network.Assign,Resource.AssignVMToPool,Task.Create,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Resource,VirtualMachine.Config.Settings,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Register,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.MarkAsVM,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RevertToSnapshot,Global.ManageCustomFields,Global.SetCustomField

New-VIRole -Name “XenApp Service” -Privilege $priv

image

With the role created, you can execute the following cmdlet to assign the domain service account to the vCenter object (top most level):

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “NetBIOSdomainNamesvc_XenDesktop” -Role “XenDesktop Service” -Propagate:$true

$rootFolder = Get-Folder -NoRecursion

Note that the cmdlets above were tested with Citrix XenDesktop 7.6 and vCenter 5.1.0 Build 1364037.