When working with broken catalogs, you might come across an issue where you are unable to remove/manage machine accounts even though you are a Domain Admin. I first encountered the issue when i tried adding a new VM to an existing catalog which eventually failed. However, the machine account were created in Active Directory. When you use Citrix Studio to remove the Machine Accounts from the failed catalog, it errors saying the below
1 of 1 accounts could not be deleted from the identity Pool. Note that this result can occur if you do not have the required Active Directory permissions
I thought someone has altered the permissions of the Citrix service account that is used for MCS configuration under Hosting node in Studio. Checked the permissions and all looked good.
PowerShell to the rescue. I decided to check if the machine account ( the new machines that you are trying to create using the MCS/PVS catalog) is in Locked State in Active Directory. Please do NOT confuse this with the account lockouts as that is totally different thing. XenDesktop puts a lock for all the site objects when it senses something isn’t right and it need to be unlocked to manage that object further.
Type the below to load all the XenDesktop Cmdlets
asnp Citrix*
Unlock the account first by
Unlock-AcctADAccount -ADAccountSid S-1-5-21-1833432947-1194699598-2219139318-38424
You should now be able to remove the account using the Studio. Also remember to unlock all the machine accounts in the catalog before retrying the machine catalog deletion. In my case , I had only one machine account as the error message says.
I also have seen some admins reporting errors when failing to remove the Catalog with the below message and this happens when the Catalog reference to the machine account are broken or the administrator removed the accounts themselves from AD.
Remove the AD Machine accounts if you haven’t done so and then follow this link to remove the Catalog https://lalmohan.co.nz/2014/04/07/deleting-a-desktop-catalog-in-xendesktop-7-gives-the-error-the-machine-catalog-could-not-be-loaded-unable-to-find-machine-creation-data-for-id/
If the above doesn’t work for you, try removing the AD machine accounts and Machine Catalog via PowerShell by following the commands below
Removing the AD Machine Accounts
Remove-AcctADAccount -IdentityPoolName "Windows Server 2012 - HSD - MCS" -ADAccountSid S-1-5-21-1833432947-1194699598-2219139318-38424 -Force
Removing the Machine Catalog
Remove-AcctIdentityPool "Windows Server 2012 - HSD - MCS"
Thank you for the article.. and in a way helping me 🙂
glad that it helped, Swati..