New Script: Get-BrokerInvalidAccounts for Event ID Error 505 Citrix ConfigSync Service
There you are minding your own business when you (for once) look at the event logs on your delivery controllers. Much to your dismay, what do you see? Hundreds if not thousands of errors in the Application event log coming from the Citrix ConfigSync Service. What’s up with that? What’s going on?
I want to thank all the members of the Citrix Community that helped test the script and provide feedback to improve it.
What this error is telling you is that some Active Directory (AD) account was removed from AD without first being removed from some resource or association in Citrix Virtual Apps and Desktops (CVAD).
<sarcasm> As you can see from the text in the error event, Citrix tells you exactly what account is causing the error and what resource or association the account was connected to. NOT!
You can enable verbose logging to receive more information by creating the following registry value.
HKLM:\SOFTWARE\Citrix\DesktopServer\LHC -Name EnableCssTraceMode -PropertyType DWORD -Value 1
Once that is created, you can find a report located in C:\Windows\ServiceProfiles\NetworkService\AppData\Loca\Temp\CitrixBrokerConfigSyncReport.html.
The report gives you a wealth of information. NOT!
At least it tells you the user account (before it resolves into an orphaned SID), in this case, LABADDOMAIN\TestUser1. But WHERE do I find this invalid account used? Is it assigned to a desktop, a delivery group, a published desktop, a published application, an application group, was it manually added (via PowerShell) as an included or excluded user to some assignment or entitlement policy?
Update 16-May-2019: From CTA Andy McCullough, if you want the name cache updated immediately, run the following two cmdlets:
Update-BrokerNameCache -Machines Update-BrokerNameCache -Users
Those questions are what this script is designed to address.
I looked at all the Get-Broker* cmdlets to see which ones have a computer, security group, or user account associated in some way. I found the following list:
- Get-BrokerAccessPolicyRule ExcludedUsers IncludedUsers
- Get-BrokerAppAssignmentPolicy RuleExcludedUser IncludedUser
- Get-BrokerAppEntitlementPolicyRule ExcludedUsers IncludedUsers
- Get-BrokerApplication AssociatedUserNames
- Get-BrokerApplicationGroup AssociatedUserNames
- Get-BrokerAssignmentPolicyRule ExcludedUsers IncludedUsers
- Get-BrokerEntitlementPolicyRule ExcludedUsers IncludedUsers
- Get-BrokerMachine AssociatedUserNames (MachineName, to verify computer account still exists in AD)
- Get-BrokerSessionLinger AssociatedUserNames
- Get-BrokerSessionPreLaunch AssociatedUserNames
- Get-BrokerUser Name
I am sure I missed something somewhere. If you know of something that should be added to the list, please let me know.
I don’t think Get-BrokerUser should be in the list. Get-BrokerUser should be self-healing. As invalid accounts are removed from the various entities and associations, the invalid BrokerUser account should be automatically removed.
Here is the script in action.
Finding invalid accounts.
The CSV file with invalid accounts.
What the CSV tells you is:
- Which cmdlet showed the invalid account,
- The invalid account’s name or SID,
- The account type (UserOrGroup or Computer),
- The cmdlet’s property that contains the invalid account, and finally,
- The name of the entity where you can find the invalid account.
You can use that information to find the invalid account in the GUI and remove it. The others, like excluded users, you can only remove using PowerShell.
The script when it finds no invalid accounts.
The CSV file with no invalid accounts.
I am already working on V2 of this script that will add the option to remove the invalid accounts. V2 will also support -WhatIf and -Confirm and will also log all actions taken.
Once the invalid accounts are removed, you will see two events (503 and 504) in the application event log from the Citrix ConfigSync Service and all is well in your CVAD Site (as far as invalid accounts are concerned).
Please let me know if there is anything else that should be included in this script.
If you would like to test V2 of the script with the option to remove invalid accounts, send me an email. email@example.com
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/