Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website,, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • Get Broker Invalid Accounts V2.00

    Version 2.00 18-June-2019

    • Add support for -WhatIf and -Confirm
    • Add switch -RemoveInvalidAccounts
    • Add switch -UpdateNameCache with a 30-second wait
    • At the end of the script, show:
      • Count of the unique number of SIDs and account names
      • Count of accounts removed
      • Count of accounts not removed

    V1 of this script was written because of the issues I had at a customer site with the Event ID Error 505 from the Citrix ConfigSyncService. If there was even one orphaned SID or invalid account in the Site, the Local Host Cache would neither create nor update. A friend at Citrix said they believed they had fixed that problem in 7.14 LTSR CU4 and in 1906. I did extensive testing with those two versions and could never get the 505 error. That doesn’t mean this script isn’t needed. Far from it. If you have orphaned SIDs or invalid accounts (computer or user accounts deleted from AD but not yet turned into an orphaned SID), you still have issues. V2 now gives you a way to remove those orphaned SIDs and invalid accounts.

    This has been a very challenging script update. I can run the same Get-Broker* cmdlets and get different results about a third of the time. You will see that in some of the screenshots to follow.

    As soon as I completed V1 of this script, I started getting requests for an update to remove the orphaned SIDs and invalid accounts that were found. It took a month to get all the kinks worked out. There are so many places in the Get-Broker* cmdlets to put computer and user accounts and also some cmdlets to add Inclusions and Exclusions that cannot be seen in Studio. Creating all the necessary Machine Catalogs, Delivery Groups, Applications, Application Groups, user accounts, exclusions, and inclusions was time-consuming. Then I intentionally screwed it all up by intentionally deleting AD accounts to get orphaned SIDs and invalid accounts.

    Then what was most confusing was running the script multiple times and getting different results each time!!! I am assuming it all comes down to the name cache that is maintained somewhere and updated on an unknown and undetermined schedule. I also discovered that you can have orphaned SIDs and invalid accounts for computers that appear to be updated on a different basis than the user accounts.

    I could run the script with no parameters and get a count of orphaned SIDs and invalid accounts. Then run the script again for a screenshot and get a different count. Later, I would run the script to remove the invalid accounts, only to see that none of the deleted AD computer accounts were found. Immediately re-run the script and there were the missing AD computer accounts. I think Netflix has a TV show about the Citrix Name Cache called Stranger Things.

    The script does work, and I appreciate those that helped test the script to uncover bugs I and make the script better.

    Here is the script in action.

    Script WIth No Parameters
    Script WIth No Parameters
    Script With Update Name Cache
    Script With Update Name Cache
    Script With Remove Invalid Accounts And WhatIf
    Script With Remove Invalid Accounts And WhatIf
    Script With Remove Invalid Accounts And Confirm
    Script With Remove Invalid Accounts And Confirm
    Script With Remove Invalid Accounts
    Script With Remove Invalid Accounts

    Did you notice that the numbers are different on the last run? I had to run the script a second time. If you go back and look at the first few screenshots, they show 19 invalid accounts found. The last screenshot shows 17 invalid accounts found???

    Here I re-run the script immediately.

    Script Run Number 2
    Script Run Number 2

    The last two times, the script found an additional 3 invalid accounts. 17 + 3 = 20.

    Deleting invalid computer accounts can be a two-step process. If a computer belongs to a delivery group and a machine catalog, you have to remove it from the delivery group first and then re-run the removal cmdlet to remove the computer from the machine catalog.

    I have tested every scenario I can think of, including finding that if you delete AD computer accounts before the VDA registers with the delivery group or delete AD user accounts before the delivery group is fully created, well Stranger Things happen.


    Please let me know if there is anything else that should be included in this script.

    You can always find the most current script by going to



    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    One Response to “Get Broker Invalid Accounts V2.00”

    1. William Foster Says:

      Nice work Carl et al
      as always thank you for the excellent content.


    Leave a Reply