Tuesday, January 31, 2017

PVS Info to Environment Variables / Event Log Refreshed

In my old post I presented a Powershell startup script to grab some info from the PVS image and pump it into the eventlogs and environment variables for consumption.   I refreshed this for the VHDX disks and "Cache in Ram with overflow" cache type.  

Start by creating the event log from an elevated poweshell session by issuing the command:
New-EventLog -LogName Application -Source "Xenapp_Custom"

I run the script below in the local startup scripts on the PVS images.

$disk="ID not found"

IF(Test-Path $File){
  $data=get-content $file
  Foreach ($line in $data) {
    if ($line.Contains("DiskName")){$iname=$line.replace("$","").replace("DiskName=","").replace(".vhdx","").replace(".vhd","")}
    if ($line.Contains("WriteCacheType")){$wc=$line.replace("$","").replace("WriteCacheType=","")}

  switch ($wc)
  "0" {$wc1="PV"}
  "4" {$wc1="CD"}
  "6" {$wc1="CR"}
  "9" {$wc1="CRO"}
  "1" {$wc1="Server";Write-EventLog -LogName Application -Source "XenApp_Custom" -EntryType Error -EventID 911 -Message "PVS ALERT. VDisk is set to Cache on server.  Immediate action is required to prevent an outage if this is a PROD image. Image: $iname"}
default {$wc1="OTHER";Write-EventLog -LogName Application -Source "XenApp_Custom" -EntryType Warning -EventID 911 -Message "PVS ALERT. Nonstandard VDisk configuration has been detected. Image: $iname"}

  {$disk=$env:computername + "_Local"}

---------------END OF LINE------------

Thursday, January 26, 2017

Installing Adobe Acrobat Professional in a Sharee/Non Persistent Desktop Image Vmware / Citrix

Skip to end of metadata

Four things are required to successfully install and license Acrobat Professional for a shared desktop.

  1. The Adobe Acrobat Software
  2. The Adobe Provisioning Toolkit, Enterprise Edition (APTEE)
  3. The serial number for your product
  4. The Adobe Customization Wizard that matches your product version

Acquiring the pieces: 

Items 1-3 are obtained from the Adobe Licensing Website
Logon.  Downloads has the Software and the APTEE.  The serial number is located in "Retrieve Serial Numbers"
Item 4 can be located on the Adobe FTP site:

Creating the PROV.XML file.

The prov.xml contains the serial number and an encrypted license key.  It is generated by the APTEE executable adobe_prtk.exe.  An internet connected machine is required at this step.  No adobe products are needed other than the executable.
Open a command prompt and enter the following:
adobe_prtk.exe --tool=VolumeSerialize --generate --serial=<SERIAL NUMBER FROM ADOBE LWS> --regsupress=ss --eulasupress
Return Code 0 indicates sucess

Customize the Adobe Package

Install the Adobe Customization Wizard
Navigate to the MSI in the directory where you unzipped the Adobe Acrobat Download
Customize as required.  Save and exit.

Install in the gold image

Open a command prompt and navigate to the directory unzipped the Adobe Acrobat Download.  Issue the command:
Msiexec /i acropro.msi /t acropro.mst
This will run through the standard adobe install.  Hopefully the customizations will run and minimal input is required.  Do not do a first run at the point.
Copy the adobe_prtk.exe file and the prov.xml to the image.  I choose C:\programdata\adobe to store those files.
issue the command:
c:\programdata\adobe\adobe_prtk.exe --tool=VolumeSerialize --provfile= c:\programdata\adobe\prov.xml --stream
Open Adobe and click through any first run prompts and allow the app to remain open for a minute or two.
Seal and publish the image.


Tuesday, February 23, 2016

Foreign Security Principals in a Group

I needed a list of users in a group and GET-ADGROUPMEMBER was failing hard due to some foreign security principals.  This is what I came up with:

$alluser=(Get-ADGroup $group -properties member).member
foreach ($user in $alluser){
if ($user -like "*ForeignSecurityPrincipals*"){
$object = New-Object System.Security.Principal.SecurityIdentifier (($user.trimstart("CN=")).trimend(",CN=ForeignSecurityPrincipals,DC=ad,DC=orthoclinical,DC=com"))
$result = $object.Translate([System.Security.Principal.NTAccount]) 
else{$$LOCAL+=(Get-ADUser -identity $user).name}
Write-Host "---------"
Write-Host "GROUP:$group"
Write-Host "---------"
Write-Host "$LOCAL USERS"
Write-Host "---------"
Write-Host "---------"
Write-Host "---------"

It's not the prettiest script on the net, but it gets the job done.

Thursday, January 21, 2016

Old school installer architecture selection script.

Some days you need to write a script that takes action based on whether you are installing on a x32 or x64 box.  Here is a simple VBscript that just works...

Set WshShell = WScript.CreateObject("WScript.Shell")

OSbits = WshShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE")

If OSbits = "x86"
WshShell.Run "msiexec.exe /qn /i install_x86.msi /norestart"
WshShell.Run "msiexec.exe /qn /i install_x64.msi /norestart"
End If

Wednesday, January 6, 2016

Adding space to a Citrix Provisioning Services Vdisk without reverse imaging.

In the course of patching and modification a Citrix Provisioning Services disk image can sometimes exceed it's original storage capacity. Like a normal virtual machine, a PVS image can be extended to increase its useful life. As this is executed against an umnounted, unused PVS image the risk is minimal. Failback is to create a clean image from the current gold image.


Prior to attempting to extend a Vdisk ensure that it is not locked, in use or mounted in PVS (the lock icon indicates whether it is locked or not and if it is in use the Connections will be greater than 0).


Open an command prompt and issue the Diskpart Command (on some systems escalation is required).:

Mount Vdisk

 Select the Vdisk to modify and attach it to Diskpart:

Increase Size

Increase the maximum size of the VDisk (Size is in Megabytes):

Attach to the Vdisk

Attach the vdisk and determine the correct volume to extend:

Select the volume

Select the volume to extend and execute the extend command:


Review your results:


Clean up and exit:


Command Cheat sheet

You must be an administrator to take these actions. Begin with a command prompt.

Select vdisk file="<PATH>\<VDISKFILE>.vhd" 
list vdisk
expand vdisk maximum=62000
attach vdisk
list disk
list volume
select volume 7
list volume
detach vdisk

Tuesday, January 5, 2016

Powershell One Liners for Xenapp 6.5

I am preparing a report and I needed some stats about a large 6.5 XenApp environment.  Powershell and ASNP Citrix* to the rescue.

Count of Applications


Count of Disabled Applicarions

Get-XAApplication|where{$_.enabled -eq $false}|measure

Count of Apps granted to "domain users"

Get-XAApplication|Get-XAAccount|where{$_.accountname -contains "domain users"}|measure

Happy counting...

Wednesday, March 18, 2015

Citrix and SHA2

SHA2 and why do I care?

Time to update those statements of support for your users and customers.  With the move to the more secure certificate algorithm SHA2, things are breaking all over the place.  First off, Microsoft and the Cert powers that be have declared that Certs that expire on or after 1/1/17 must be SHA2.  So if you are picking up a new cert with a 2 year life it will be SHA2.  What does that mean to me, you ask?

Web Interface:

I know you've been putting off that Storefront migration, but it is time to get it on the books.  You can buy some time if you offload SSL (and your cert) to your Netscaler or other load balancer of choice.

Secure Gateway

It's time to put your SG out of it's misery.  Netscaler VPX is your go-to replacement.

11.x and older Citrix Client

If it connects via SSL you need to upgrade.  If you are at Vista + for your OS, download and install the latest Citrix client.  If you have an older OS, first, shame on you.  Second, the last of the 12.x clients is what you want.  Modern clients are not tested on XP and can be rather inconsistent.

If you are a thin client shop and you protect your connections via SSL, it's time to update that firmware if you can.  I haven't found a lot of vendor "statement of support" type documents, but if you Linux or Windows TCs have a modern (Vista+ OS) and a receiver in the 12.x land, you should be ok.  The various vendors with "ThinOS" products will need to either declare support or issue an updated firmware.

Other Gotchas

Citrix will tell you that you can get a cert today with the old SHA1 and run with your legacy stuff a while longer, which is true but with a massive caveat.  For the older clients to work your entire certificate chain must be SHA1.  If your cert and the root cert are SHA1 and an intermediate cert is SHA2, you are not going to work.  I have seen this and it is not pretty.  The name of the Cert listed in the error will be the first cert in your chain that is SHA2.

Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix Xenapp server. SSL Error 61: You have chosen not to trust "<CERTNAME>", the issue of this server's security certificate.

Error Text:
Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix Xenapp server. SSL Error 61: You have chosen not to trust "<CERTNAME>", the issue of this server's security certificate.

Happy Certing..