When working with broken Citrix catalogs, you might have come across an issue where you are unable to remove/manage machine accounts even though you are a Domain Admin. I first encountered the problem when I tried adding a new VM to an existing catalog which eventually failed. However, the machine accounts were created in Active Directory. And when you use Citrix Studio to remove the Machine Accounts from the failed catalog, it errors saying the below
1 of 1 accounts could not be deleted from the identity Pool. Note that this result can occur if you do not have the required Active Directory permissions
I thought someone had altered the permissions of the Citrix service account that is used for MCS configuration under Hosting node in Studio. Checked the permissions and all looked good.
PowerShell to the rescue. I decided to check if the machine account ( of the new machines that you are trying to create using the MCS/PVS catalog) is in Locked State in Active Directory. Please do NOT confuse this with the account lockouts as that is a totally different thing. XenDesktop puts a lock for all the site objects when it senses something isn’t right and it need to be unlocked to manage that object further.
Type the below to load all the XenDesktop Cmdlets
asnp Citrix*
Unlock the account first by
Unlock-AcctADAccount -ADAccountSid S-1-5-21-2426453848-4273706875-3323952908-104702
In newer versions of XenApp/XenDesktop/Citrix Virtual Apps and Desktops as you now call them, there is another parameter that could confuse you called “AccountLocked“. That is NOT the parameter we are after and we should be looking for “Lock” and its value. If the value is True, the machine account is required to be unlocked.
Once the account is Unlocked, running Get-AcctADAccount will return a Lock value of False
You should now be able to remove the account using the Studio. Also remember to unlock all the machine accounts in the catalog before retrying the machine catalog deletion. In my case , I had only one machine account as the error message says.
I also have seen some admins reporting errors when failing to remove the Catalog with the below message and this happens when the Catalog reference to the machine account is broken or the administrator removed the accounts themselves from AD.
Remove the AD Machine accounts if you haven’t done so and then follow this link to remove the Catalog https://lalmohan.co.nz/2014/04/07/deleting-a-desktop-catalog-in-xendesktop-7-gives-the-error-the-machine-catalog-could-not-be-loaded-unable-to-find-machine-creation-data-for-id/
If the above doesn’t work for you, try removing the AD machine accounts and Machine Catalog via PowerShell by following the commands below
Removing the AD Machine Accounts
Remove-AcctADAccount -IdentityPoolName "CG-XA-W2K16-CAT-CORE" -ADAccountSid S-1-5-21-2426453848-4273706875-3323952908-104702 -Force
Removing the Machine Catalog
Remove-AcctIdentityPool "CG-XA-W2K16-CAT-CORE"
There you have it. Please comment below, if you find the post useful.
