Home > Citrix, Edgesight, PowerShell Scripting > Importing Users to Citrix Edgesight User Groups from Active Directory.

Importing Users to Citrix Edgesight User Groups from Active Directory.

I’ve blogged about Edgesight reporting previously, but in this case I needed to populate Edgesight groups from active directory and keep them up to date. This functionality is (rather strangely) not available in Edgesight and for this reason I decided to create a Powershell module to allow for automation of user group population from active directory.

Edgesight doesn’t seem to have any API’s or command line interfaces to hook into. For this reason my scripts are based on connecting to the Edgesight database and retrieving the information with SQL statements. This presented a really fun challenge for me as I’m an SQL novice. I learned quite a bit in a short period of time by writing this powershell module.

With the following module you can run scheduled tasks to connect to your edgesight database and add / amend your user groups with ease.

First, some caveats, warnings and limitations of Edgesight you should be aware of:

  • My SQL statements have been tested fully internally and work flawlessly, that being said Always backup your database before you attempt to use these modules.
  • Each Edgesight group has a unique GUID assigned when it is created, for this reason you must manually create the Edgesight groups before attempting to import users.
  • Each user has a unique identifier in Edgesight called a PRID, if Edgesight has not seen a user before, the PRID will not exist. As such, you cannot import a user who has not logged into the environment before.


The Module:



I have sealed the necessary commands for this job into a self contained module you can import on runtime.

The module needs to be edited by hand before you first use it. This is to specify the credentials you wish to use to connect to the Edgesight database.  I have included options for trusted connections and SQL account logins. For more information on this read the Configuring the module section below.

Module Components:


This module has the following commands embedded to be used as part of your maintenance scripts:

Get-ESGroups

  • Retrieves the name and ID of each Edgesight user group

Get-ESGroupMembers

  • Retrieves all members PRID’s of a specified user group.

Add-ESGoupMember

  • Ensures the user isnt already in the group.
  • Adds a specified user to a specified group.

Remove-ESGroupMember

  • Remove a user via their prid from a specified user group.

Clear-ESGroupMembers

  • Removes all members from the specified group.
  • Reports the amount of users removed.

Get-ESUserPrid

  • Looks up a user by name (samaccount name / login name) and returns their Prid.
  • Warns if the user doesn’t exist.

Get-ESUserName

  • Looks up a user by Prid and returns their login name.
  • Warns if the user doesn’t exist.


Dowloading the module:



You can download the Edgesight Module from my box.net account here. Remember to continue down this blog post to see how to use the modules for your best chance of success.

Configuring the module:



Once you have downloaded the module, you need to edit it by hand before you first use it. This is to specify the credentials you wish to use to connect to the Edgesight database.

Configuring the SQL Server and database name:

  • Change the $SQLServer variable (labeled 1: below) to the sql database server or instance name you wish to connect to.
  • Change the $SQLDatabase variable (labeled 2: below) to the sql database name you wish to connect to.:



Below is an example of how this should look:



Configuring the SQL login details:



I have included options for trusted connections and SQL account logins. Here’s a brief description of the two options available to you when configuring your authentication for this module:

  • A trusted connection is a connection using your logged in details.
  • A non trusted connection requires a SQL user account and password with modify rights to the edgesight database.

Using a Trusted connection:

  • Configure the $SQLTrustedConnection variable as $true
  • You can then ignore or remove the $SQLUsername and $SQLpassword variables.

An example of how this should appear is below:

Using an untrusted connection:

  • Configure the $SqlTrustedConnection variable ( labelled below as 1:) as $false
  • Configure the $SqlUserName variable as the SQL username labelled below as 2:) with the afforementioned access rights.
  • Configure the $SQLPassword variable as the SQL user’s password (labelled below as 3:)

Note: remember to wrap the username and password in quotes.

An example of how this should appear is below:

Once you’ve configured the Module to suit your environment, simply save it.

Importing the Module:



Once you’ve modified to module to suit yourselves, its time to import the module and see if you’ve configured it correctly.

I suggest you change  your executionpolicy to unrestricted with the following command first to remove any overzealous security warnings:

set-executionpolicy unrestricted

Now, open a powershell window and run the following command: (where c:\ is the location of the module)

import-module C:\Citrix.Edgesight.Cmdlets.psm1



The module will either error out telling you that the details are incorrect as below:

Or confirm a database connection has been established:

If the module imported correctly, try one of my powershell functions to see if you can retrieve information.

For example, try:

get-esgroups





Adding and removing users from groups:



Once we have the module imported, now we can get to the important task of modifying the memberships of edgesight  groups. Lets do this manually once so we understand the process for active directory imports later.

1: To retrieve an Edgesight user Group’s group ID, run the following command:

get-esgroups


For this article, we’ll assume we want to add users to “All Access Gateway Users”, so the groupid is 11.

2: To clear the group, we can use the following command:

Clear-ESgroupmembers -GroupID 11


The command should return the amount of deleted users



3: Because we need the Edgesight user’s PRID to add the member to the group, we can achieve that by running the following command: (where “user” is the users name is the login name)

Get-ESUserPrid username


I’ve omitted the username for privacy reasons.



4: Once we have the PRID we can now add the user to the group:

add-esgroupmember -GroupID 11 -Prid 26


If this returns no error, this has completed successfully



5: To confirm this user is now in the correct group, try:

get-esgroupmembers -GroupID 11


You should see you user added as above.



You can also check this in Edgesight by reviewing the group details:

I’ve omitted the username for privacy reasons.



So now that we know a single user import works, lets try an active directory import.

Importing from Active Directory:

you will need the following items for this task:

  • a Powershell module or snapin for listing members of groups. *
  • The active directory name group.
  • The GroupID you wish to add the users to.

The basic concept behind this task, is to clear the current group then repopulate it with users from AD. Above I’ve walked you through one user, so now you understand the concept and can modify the script to import in bulk safe in the knowledge you know what is happening.

Now that you understand the process, its just a matter of using a powershell snapin or module to list active directory users and import them one by one.

Below you will find two examples using the quest and microsoft tools. These are fairly basic examples as each persons needs are different, the module is robust and flexible enough for you to script your own solution using these modules and I’ll happily help if you have a specific requirement not covered by these basic examples.

*In reference to the powershell module, they are numerous and available online, for the sake of completeness I’ve included the Quest tools & the Microsoft ActiveDirectory module below for reference.

Quest Active Directory Snapin:

Below you will find an example on how to use the Quest active directory snapin for powershell to retrieve users from the group “Active directory user group” and populate the Edgesight user group 20 with these members.

For convenience, you can download this here:

import-module "C:\citrix.edgesight.cmdlets.psm1"
add-pssnapin Quest.ActiveRoles.ADManagement
$group="Active Directory User Group"
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in Get-QADGroupMember $group -type user -indirect -sizelimit 0){
    $prid = get-ESUserPrid $user.logonname
    if ($prid -NE $null){
    Add-ESGroupMember -groupid $ESgroupid -prid $prid
    }
}#end For


Microsoft ActiveDirectory Powershell module:

Below you will find an example on how to use the Microsoft ActiveDirectory module for powershell to retrieve users from the group “Active directory user group” and populate the Edgesight user group 20 with these members.

For convenience, you can download this here:

import-module "C:\citrix.edgesight.cmdlets.psm1"
import-module activedirectory
$group="Active Directory User Group"
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in Get-ADGroupMember $group -recursive){
    $prid = get-ESUserPrid $user.samaccountname
    if ($prid -NE $null){
        Add-ESGroupMember -groupid $ESgroupid -prid $prid
    }
}#end For

Keeping your groups up to date:

Once you are happy that you have gotten the code to work for your environment, you can simply run these scripts as scheduled tasks and the groups will be cleared and repopulated when the scheduled task runs.

It’s that simple.


Getting further help with these modules:



Once the module is imported, you can retrieve help on any of these commands by running “get-help (command)”, where command is the command you wish to retrieve help from.

I’m also quite happy to support and expand this module is necessary as I really enjoyed this project. Drop me a comment or email: andrew (at) andrewmorgan (dot) ie and I’ll see if I can help you with this.

  1. July 6, 2012 at 4:42 pm

    Andrew, Thank you very much for the script.
    I was having trouble generating reports for specific AD groups.

    I really like your script. I have implemented this in my environement.

    Thank you

  2. June 26, 2013 at 4:13 pm

    awesome script,

    Each Edgesight group has a unique GUID assigned when it is created, for this reason you must manually create the Edgesight groups before attempting to import users.

    you haven’t though of adding cmdlet to create a group and set a id to it?

    • June 27, 2013 at 11:47 pm

      I don’t have an edge sight instance anymore, from what I remember the prid needs to be sequential.

  1. January 27, 2012 at 8:52 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: