Get Broker Invalid Accounts V2.00
Version 2.00 18-June-2019
- Add support for -WhatIf and -Confirm
- Add switch -RemoveInvalidAccounts
- Add switch -UpdateNameCache with a 30-second wait
- At the end of the script, show:
- Count of the unique number of SIDs and account names
- Count of accounts removed
- Count of accounts not removed
V1 of this script was written because of the issues I had at a customer site with the Event ID Error 505 from the Citrix ConfigSyncService. If there was even one orphaned SID or invalid account in the Site, the Local Host Cache would neither create nor update. A friend at Citrix said they believed they had fixed that problem in 7.14 LTSR CU4 and in 1906. I did extensive testing with those two versions and could never get the 505 error. That doesn’t mean this script isn’t needed. Far from it. If you have orphaned SIDs or invalid accounts (computer or user accounts deleted from AD but not yet turned into an orphaned SID), you still have issues. V2 now gives you a way to remove those orphaned SIDs and invalid accounts.
This has been a very challenging script update. I can run the same Get-Broker* cmdlets and get different results about a third of the time. You will see that in some of the screenshots to follow.
As soon as I completed V1 of this script, I started getting requests for an update to remove the orphaned SIDs and invalid accounts that were found. It took a month to get all the kinks worked out. There are so many places in the Get-Broker* cmdlets to put computer and user accounts and also some cmdlets to add Inclusions and Exclusions that cannot be seen in Studio. Creating all the necessary Machine Catalogs, Delivery Groups, Applications, Application Groups, user accounts, exclusions, and inclusions was time-consuming. Then I intentionally screwed it all up by intentionally deleting AD accounts to get orphaned SIDs and invalid accounts.
Then what was most confusing was running the script multiple times and getting different results each time!!! I am assuming it all comes down to the name cache that is maintained somewhere and updated on an unknown and undetermined schedule. I also discovered that you can have orphaned SIDs and invalid accounts for computers that appear to be updated on a different basis than the user accounts.
I could run the script with no parameters and get a count of orphaned SIDs and invalid accounts. Then run the script again for a screenshot and get a different count. Later, I would run the script to remove the invalid accounts, only to see that none of the deleted AD computer accounts were found. Immediately re-run the script and there were the missing AD computer accounts. I think Netflix has a TV show about the Citrix Name Cache called Stranger Things.
The script does work, and I appreciate those that helped test the script to uncover bugs I and make the script better.
Here is the script in action.
Did you notice that the numbers are different on the last run? I had to run the script a second time. If you go back and look at the first few screenshots, they show 19 invalid accounts found. The last screenshot shows 17 invalid accounts found???
Here I re-run the script immediately.
The last two times, the script found an additional 3 invalid accounts. 17 + 3 = 20.
Deleting invalid computer accounts can be a two-step process. If a computer belongs to a delivery group and a machine catalog, you have to remove it from the delivery group first and then re-run the removal cmdlet to remove the computer from the machine catalog.
I have tested every scenario I can think of, including finding that if you delete AD computer accounts before the VDA registers with the delivery group or delete AD user accounts before the delivery group is fully created, well Stranger Things happen.
Please let me know if there is anything else that should be included in this script.
You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/