Finding Horizon View local entitlements using PowerCLI

Intro

In a previous post i mentioned that finding the entitlements for a user from the Horizon side of things can be a bit of a hassle. If only active directory groups are used its dead easy: just use the Active directory commands for those groups. If the groups are used for multiple pools and if you have assigned desktops things get a bit more complicated. For now I will only concentrate on the local pod without global entitlements.

getting that info

To get started the vmware.hv.helper module has the get-hventitlement command. As almost always a very useful one but it has some flaws. First it requires full domainname\username or username@fulldomainname.

For example

get-hventitlement -user magneet.lab\user1

or

get-hventitlement -user user1@magneet.lab

Both work but

get-hventitlement -user magneet\user1

gives this message: Get-HVEntitlement: No entitlements found with given search parameters.

At least

get-hventitlement -user user1

If you add the -type group to this command you get all group entitlements

gives an error message that the -user argument does not match the “^.+?[@\\].+?$” pattern. With this last one you at least get an error so you know where to look but not displaying any entitlements is an issue for me.

So, back to the results of these commands, I have assigned the user user1 the following rights

  • Pool04 directly and by using a group
  • directly on a single desktop in pool04.
  • Pool01 only by group.
  • Paint rds app by group
  • Calculator rds app direct
  • Wordpad rds app by both group & directly

When using the get-hventitlement without anything else it doesn’t seem to show a lot of usable things

get-hventitlement -user user1@magneet.lab

If you put this between brackets followed by a period and one of the properties a bit more info is shown.

(get-hventitlement -user user1@magneet.lab).base

Some information about the user, not very usable the session data property gives some information about current sessions (none at the moment)

With the localdata property it looks like we hit the motherload jackpot thingy

(get-hventitlement -user user1@magneet.lab).localdata

Very good, a lot of id’s so what can we do with those? For now I will put this into $entitledids.

$entitledids=(get-hventitlement -user user1@magneet.lab).localdata

I read something about get-hvinternalname when checking out the module, sounds usable.

get-help get-hvinternalname -examples

Ah, so this needs an entityid as input, a machine is an entity so let’s try it. This might need a foreach though because the output gave machines and not machine.

foreach ($Entityid in ($entitledids.machines)){get-hvinternalname $Entityid}

Damn, that’s not usable, let’s double-check with the other id types

foreach ($Entityid in ($entitledids.desktops)){get-hvinternalname $entityid}
foreach ($Entityid in ($entitledids.desktopuserentitlements)){get-hvinternalname $entityid}
foreach ($Entityid in ($entitledids.aplicationuserentitlements)){get-hvinternalname $entityid}
foreach ($Entityid in ($entitledids.applications)){get-hvinternalname $entityid}

The ones we need are readable, couple of them not but I don’t those will be missed.

The missing machine name is actually easy to solve by doing an api call:

foreach ($Entityid in ($entitledids.machines)){($services1.machine.machine_Get($Entityid)).base}

Conclusion

Because this is rather easy to use and since I didn’t have a direct use case for that I decided not to create a complete script. With get-hventitlement, get-hvinternalname and maybe an api call here or there it’s very easy to pull the information about which account or groups have what rights. To see if a user belongs to a group can easily be done with any of the multitude of scripts for that here’s a good example of those.

 

Adding manual desktops in Horizon View and assigning them using Powercli

A while ago I received a question from Geoffrey O’Brien if I knew how to add a desktop and assign it using PowerCLI. I started building this using the api’s and after a lot of hours, cussing, swearing running into weird problems I actually got it working. When I was busy writing that blog post and wanting to add this to the vmware.hv.helper module I found out that both functions had already been added back in July! I just ignored, or better, forgot about the module for a while because at first it lacked a lot of options.

Key ingredients to do this are add-hvdesktop and set-hvmachine commands. For this post I will assume that the user is already entitled to the pool. This is something that can be checked but because of some ‘things’ it will be a separate post. Please be aware that if you combine these commands in a single script that there needs to be some time for the connectionserver to actually add the desktop.

First check if the system isn’t already registered with this this pod:

get-hvmachine -machinename MACHINENAME

If the desktop is already added somewhere and you know the pool it can be removed with the api (issue logged to create remove-hvmachine here)

$services1.desktop.Desktop_RemoveMachineFromManualDesktop((get-hvpool -poolname POOLNAME).id, (get-hvmachine -machinename MACHINENAME).id)

Since the desktop can’t be found yet it can be added by:

add-hvdesktop -poolname POOLNAME -machines labw701

Did you notice the extra S in the -machines part in the command? Multiple machines can be added by separating them with a comma.

To assign the user to the machine things get a it more complicated. We need to set an advanced option for that with set-hvmachine. Why an advanced option? It seems like assigning a single machine isn’t considered an entitlement! The module has no option to grab the horizon userid for you so we need to use the api’s for that (request to add it has been made here)

$username="USERNAME"
$queryService = New-Object VMware.Hv.QueryServiceService
$defn = New-Object VMware.Hv.QueryDefinition
$defn.queryEntityType = 'ADUserOrGroupSummaryView'
$defn.filter = New-Object VMware.Hv.QueryFilterEquals -property @{'memberName'='base.name'; 'value' = $userName}
try     {
        $userid=($queryService.queryservice_create($Services1, $defn)).results[0].id
        }
catch   { 
        throw "Can't find $Username, exiting" 
        }

the username has to be exact samaccountname from your active directory otherwise it will not be able to find the user.

so now we do have the userid the base.user needs to be updated.

get-hvmachine -machinename MACHINENAME | set-hvmachine -key base.user -Value $userid

before:

the command:

After:

And since the user has been assigned something now it has it’s own userorgroupid as you can see and that can again be check with the api’s. First put the userorgroupid into a variable and then use that against the aduserorgroup service.

$resultuserid=(get-hvmachine -machinename MACHINENAME).base.user
($services1.AdUserOrGroup.AduserOrGroup_Get($resultuserid)).base

This is the script you can use as a base:

$username="username"
$poolname="Poolname"
$machinename="machinename"
$connectionserver="connectionservername"

$hvserver1=connect-hvserver $connectionserver
$Services1= $hvServer1.ExtensionData

$queryService = New-Object VMware.Hv.QueryServiceService
$defn = New-Object VMware.Hv.QueryDefinition
$defn.queryEntityType = 'ADUserOrGroupSummaryView'
$defn.filter = New-Object VMware.Hv.QueryFilterEquals -property @{'memberName'='base.name'; 'value' = $userName}
try     {
        $userid=($queryService.queryservice_create($Services1, $defn)).results[0].id
        }
catch   { 
        throw "Can't find $Username, exiting" 
        }

add-hvdesktop -poolname $poolname -machines $machinename

start-sleep -s 10

get-hvmachine -machinename $machinename | set-hvmachine -key base.user -Value $userid

As always the most up to date version of the script can be found on Github.