Adventures in XenDesktop 7 Powershell/SDK : Getting a full list of users/machines from an access policy

The Command You're Looking For

Get-BrokerAccessPolicyRule -name "<groupname>" | % {$_.<property>}

Example: Get-BrokerAccessPolicyRule name "mygroup_direct" | % {$_.includedusers}

This returns the full list of all included users/groups in the "mygroup_direct" rule.

Explanation

I've been working with get/set-brokeraccesspolicyrule a lot lately. It's super useful for managing what users have access to what desktops from what machines, in a much more exact way than is possible through the studio application.

It's allowed me to do some really nice things from a user experience standpoint, which I may elaborate on a little later.

One big problem I've been running into was getting information back out of these. For instance, I've got some ACLs (APRs?) set based on user AD Group membership. These work fine, but if I add a bunch, then want to double check which groups I've added, it's not quite so straight forward.

Running a command like : Get-BrokerAccessPolicyRule -name "group_direct"

returns this:

ExtensionData                    : System.Runtime.Serialization.ExtensionDataOb
                                   ject
AllowRestart                     : True
AllowedConnections               : NotViaAG
AllowedProtocols                 : {HDX, RDP}
AllowedUsers                     : Filtered
Description                      :
DesktopGroupName                 : <redacted>
DesktopGroupUid                  : 2
Enabled                          : True
ExcludedClientIPFilterEnabled    : False
ExcludedClientIPs                : {}
ExcludedClientNameFilterEnabled  : True
ExcludedClientNames              : {<redacted>}
ExcludedSmartAccessFilterEnabled : False
ExcludedSmartAccessTags          : {}
ExcludedUserFilterEnabled        : False
ExcludedUsers                    : {}
IncludedClientIPFilterEnabled    : False
IncludedClientIPs                : {}
IncludedClientNameFilterEnabled  : True
IncludedClientNames              : {<redacted>client1,client2,client3,client4.
                                   ..}
IncludedSmartAccessFilterEnabled : True
IncludedSmartAccessTags          : {}
IncludedUserFilterEnabled        : True
IncludedUsers                    : {<redacted>group1,group2,group3,group4,...}
MetadataMap                      : {}
Name                             : <redacted>_Direct

Uid                              : 1002

As you can see several of the sections get cut off with a "...". This is super annoying if you're trying to verify that all the groups you think you added are actually there. My typical approach here is to run a command to only display the field I'm looking for so it doesn't get cut off, something like this:  Get-BrokerAccessPolicyRule -name "group_direct" | select includedusers

This doesn't work here though, it returns the same cut off list. After a lot of playing around I finally found what works (See The Command You're Looking For above). It's a simple command, but it's a strange way of having to get information out of the system. Using that command you get output like this:

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
FullName      : <redacted>
Name          : domain\group1
SID           : S-1-1-11-11111111-111111111-111111111-11111***
UPN           :

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
FullName      : <redacted>
Name          : domain\group2
SID           : S-1-1-11-11111111-111111111-111111111-11111***
UPN           :

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
FullName      : <redacted>
Name          : domain\group3
SID           : S-1-1-11-11111111-111111111-111111111-11111***
UPN           :

This information is far more useful, and can be selected,filtered, and sorted from here.