locked down admin permissions preventing powershell commands

[David Flint-Johnson1709156560]

Apologies up front if this has been covered - cant find anything that seems related with a search :(

 

Our 1st line Desktop support team use a powershell script to provision new statically assigned VDIs in XenDesktop 7.6

I am now working on a transition to XenDesktop 7.15 LTSR for Windows 10 VDIs.

I have adapted the script to cater with the new environment and it works fine for me as a full admin.

however, we want to apply appropriate locked down permissions to the 1st line guys.  i have got them to test adding a machine manually to the machine catalog and then into the delivery group. all works fine.  but when they try to do the same using a powershell script it fails with the following error: (this is the log ouput from the script)

 

Starting the process of importing the new machine to Citrix
         - Starting the import to Citrix for newmachinename
         - Adding newmachinename to the correct Machine catalog
New-BrokerMachine : Insufficient administrative privilege
At \\companyfilesharelocation\VDI-CreateVM-Win10.ps1:49 char:12
+                                             New-BrokerMachine -MachineName $FullADName -CatalogUid $CatalogUid -H ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [New-BrokerMachine], SdkOperationException
    + FullyQualifiedErrorId : Citrix.XDPowerShell.Broker.AccessDenied,Citrix.Broker.Admin.SDK.NewBrokerMachineCommand
 
    

 

Any ideas?... i know this is bound to be something simple! :(

 

thanks in advance :)

[David Flint-Johnson1709156560]

On 6/10/2019 at 6:08 AM, Ganesh Raju said:

Did you try solutions state in this article - https://support.citrix.com/article/CTX218500?

yes - not relevant to this particular issue...

 

I have worked out it is down to scopes not the rights themselves.   Although a locked down admin can manage MC and DG from the GUI they cannot manage them from powershell unless the scope includes the DDCs!  - wierd!  

Edit: i should add that i also found the scope had to include the DG where the script is provisioned as a published app!  :(

[Ganesh Raju]

Did you try solutions state in this article - https://support.citrix.com/article/CTX218500?

[David Flint-Johnson1709156560]

As per above - admins must have the DDCs within thier scope when manageing the MCs via powershell.  this is not necessary if they only use the GUI...

 

:)

[Alexandre Peacuterez]

On 6/11/2019 at 3:16 PM, David Flint-Johnson1709156560 said:

yes - not relevant to this particular issue...

 

I have worked out it is down to scopes not the rights themselves.   Although a locked down admin can manage MC and DG from the GUI they cannot manage them from powershell unless the scope includes the DDCs!  - wierd!  

Edit: i should add that i also found the scope had to include the DG where the script is provisioned as a published app!  :(

 

Running version 2106

How do you include the DDCs to a Scope, only possible objects creating a new scope are Delivery Groups and Machine Catalogs. Tried both creating new scopes but the locked admin is still there. Also tried a scope with All Objects and it doesn't work: some commands are locked with Feature not enabled message.