Citrix Provisioning Services Health Check Script Update Version 1.23
Version 1.23 8-Jan-2021
First off, I want to thank all the testers and fellow CTP Guy Leech for their help in finding issues, suggesting enhancements and feature requests, and testing this update.
This started out as a simple update to address a security issue, but…this turned out harder than it looked.
The Citrix Provisioning Services (PVS) PowerShell cmdlets that work from a non-domain-joined computer to multiple Active Directory domains. BUT, there is a glaring security hole. The old string-based MCL cmdlet and the new object-oriented cmdlet ONLY work with a PLAINTEXT password!!! That means, if you want to run the PVS Health Check script from a batch/cmd file or as a scheduled task, you are required to save the password in plaintext. If you run the script from the CLI, you are required to enter the password in plaintext. Neither cmdlet works with a PSCredential object. This is very strange behavior from a “security” company.
My first thought was I would use the mcli-run SetupConnection command and check/trap for errors related to bad credentials or a bad connection to the PVS server. Nope. Nada. Zilch. Not gonna happen. The string-based SetupConnection and the object-oriented Set-PvsConnection cmdlets are poorly written, poorly implemented, poorly documented (the help text is blatantly incorrect), and very dumb. Neither cmdlet returns any useful information, neither returns a status, and neither tells you what happened if something went wrong. You can’t use any ErrorAction. You can’t redirect any of either cmdlet’s vomit to the console if something bad happens. If you want a very long delay and remove all the console vomit, you can use Start-Job and a ScriptBlock. I decided I didn’t like to 30 to 90-second delay with no way to show what is happening or what happened.
What all that means is you are now forced to enter credentials IF you use the -AdminAddress parameter to connect to a REMOTE PVS server. If you run the script on a PVS server, which is my personal preference, you are never prompted for credentials as the current Windows credentials are used for the connection to LocalHost.
Yes, I have reported all these issues to Citrix, but since Citrix is consumed by forcing everyone and every product to the Cloud, I will be long retired by the time Citrix fixes any of these issues or the gaping security hole of requiring a plaintext password.
- Added Appendix P – Items to Review
- Auditing is not enabled
- Offline database support is not enabled
- Problem report Citrix Username is <Name/ID>
- <ServerName> event logging is not enabled
- Added Appendix Q – Server Items to Review
- Computer Items to Review
- Drive Items to Review
- Processor Items to Review
- NIC Items to Review
- Added the following CSV files:
- Added testing for standard Windows folders to keep people from running the script in folders like c:\windows\system32
- Added to the Farm info, the Security and Groups tabs (requested by JLuhring)
- Added to the Farm info if the PVS version is >= 7.11, the Problem Report Citrix Username (requested by JLuhring)
- Added to the vDisks in Farm section:
- Recommended RAM for each PVS Server using XA & XD vDisks
- Added to the Computer Hardware section, the server’s Power Plan (requested by JLuhring)
- Changed all Verbose statements from Get-Date to Get-Date -Format G as requested by Guy Leech
- Changed getting the path for the PVS snapin from the environment variable for “ProgramFiles” to the console installation path (Thanks to Guy Leech)
- Changed the default Domain value to $env:UserDomain
- Changed the default User value to $env:username
- Combine the two values for the call to Get-Credential
- Changed the variable PVSFullVersion to type [version] for better comparisons
- Check for the McliPSSnapIn snapin before installing the .Net snapins
- If the snapin already exists, there was no need to install and register the .Net V2 and V4 snapins for every script run
- Cleaned up alignment for most of the output
- Fixed the missing $DatacenterLicense variable (found by @salimhurjuk)
- Removed the Password parameter to keep from having the password entered as plaintext
- Use Get-Credential and code from Frank Lindenblatt to get the password from the $credential object
- The mcli-run SetupConnection uses only a plaintext password
- Reordered parameters in an order recommended by Guy Leech
- Updated the help text
- Updated the ReadMe file
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/
- Added Appendix P – Items to Review