Update May 27th, 2021 – Interoperability with Windows 2019 / Group Policy and Horizon Service Account permissions
For VMware Cloud Providers that are using Horizon, monthly usage collection is not automated or collected by Usage Meter currently. This is a manual process that requires the Provider to retrieve the highwater mark concurrent usage on a monthly basis.
This post will document the automation of reporting of Horizon statistics in a Cloud Provider environment. I have tested this in my environment with vSphere 6.5 with Horizon 7.x.
First off, I did not do this by myself. Winston Blake and Carahsoft provided the initial script and I built off of it from there. Moreover, I received guidance from Luis Ayuso, Ray Heffer, and Wouter Kursten – this is the power of the #vCommunity! This is the first time I’ve created PowerShell code and published it to a git repo.
What does this PowerShell script provide?
- Creation of secure string for storing service account password
- Collection of Horizon Concurrent Usage data
- Outputs this to a file
- Emails this to a specified recipient(s)
What does it not provide?
- Setup of Windows Scheduled Task
Reset of Highest Count in Horizon – yes, this is a bummer but will explain further on why.It now resets the highest count, thanks to Sean Massey‘s addition.
- Create a service account for running the usage collection.
- Download scripts to a folder on your View Manager server.
- Modify scripts and input folder and SMTP parameters.
- Run Part 1 of 2 – the securestring/password PS script.
- Create a basic task in Task Scheduler
- Test Run
- Enjoy emailed reports on a monthly basis
and a quick link on resetting the highest count.
Create a service account
- In my lab environment, I created an account called “horizonsvc” in my domain. This is just a non-privileged account that I will utilize for read-only access to the Horizon environment. While the PowerShell script does convert the password to a securestring, this is just another best practice rather than running it as the default administrator account.
- In AD, we can see my Horizon Service Account –
- And we also see that I added this user that’s attached to the Administrators (Read Only) group that provides limited permissions (no modifications available). UPDATE: If you desire to reset the highest count using this script, your account WILL need a specific privilege – GLOBAL_CONFIG_MANAGEMENT. Please add this to your service account. Here is the table for the Horizon API call.
Download scripts to a folder on your View Manager server
My repo is located here – https://github.com/dpaluszek/horizon-vcpp
The first file is the password file that will store the service account password in a secure string.
Next, the second file does the work on collection while creating the file and emailing it out –
Update October 23rd, 2020 – we can now reset the highwater mark within the script. Thanks, Sean Massey!
While this does automate the collection of the highwater mark of concurrent users, it does NOT reset the usage after collection. This has to be manually done and there is a link inside of the received email to do this operation. Here’s why – There’s not a direct API/PowerShell command today that can reset this. However, one can see this field under the ADSI structure under “OU=Properties, OU=Global, CN=Counters” – we can see pae-NumCCUCountHigh which is the variable we need. After my testing of changing this variable (along with Wouter’s help), it seems to be delayed on propagation and I do not know the long term effects of this while View Manager is running. Last of all, I do not know if this would be a production-supported operation – but researching other options and what the BU can do in the future.
Modify scripts and input parameters
Let’s walk through each file and what needs to be modified before running this in your environment:
- On line 8, we need to change the location directory of where you are going to save this file. I suggest putting it in the same location as the two PS scripts along with the two files that will be created
#Replace "C:\directory\" with the target directory for your secure string text file. read-host -AsSecureString -prompt "Please enter the password" | ConvertFrom-SecureString | Out-File C:\horizon\$filename.txt
- Line 8/9 – we need to utilize the same directory location as in 1B –
##Replace "C:\DIRECTORY\file.txt" with the path to your encrypted service account password $password = get-content C:\horizon\file.txt | ConvertTo-SecureString
- Line 10/11 – change it to your service account. As an example, I am utilizing “CORP\horizonsvc” as my account.
##Replace "DOMAIN\username" with service account name previously used in Part 1 of 2 $credentials = new-object -TypeName System.Management.Automation.PSCredential -argumentlist "CORP\horizonsvc",$password
- Line 13/14 – Modify your FQDN of your View Instance. For example, I am using “view-01a.corp.local”
##Replace FQDN with hostname of your Horizon Manager server. $hznode ="view-01a.corp.local"
- Line 30 – Another directory change –
$file = "c:\horizon\horizon-usage-$timestamp.txt"
- Lines 40 to 43 – this is your SMTP/email information. Update with your SMTP server, recipient, and sender.
##Change the three variables below for your environment: smtpserver, recipient, and sender. $smtpserver = "mail.rainpole.com" $recipient = "firstname.lastname@example.org" $sender = "email@example.com"
- Line 8/9 – we need to utilize the same directory location as in 1B –
Run Part 1 of 2 – securestring/password PS script
- This is pretty straightforward – we open up PowerShell and .\ the first script and input your service account password –
- We can now see the service account password stored in the file.
Create a basic task in Task Scheduler
- This could be run locally on the View Manager server or some other Windows server that can traverse the network and hit the View instance.
- Right click -> Create a Basic Task, provide a name – I am using Horizon Usage Report
- Select Monthly as we will want to run this on the last day of the month before the next calendar month –
- We will have this start at the end of the month but selecting all calendar months and the last day of the month. I have 11:45 PM local time to give us a 15-minute buffer to run the operation (even though this takes a few seconds to run).
- We want to select Start a Program since we will call on PowerShell –
- I just typed in “powershell.exe” since it should be in your path already. Under Add Arguments, put the full path to your usage script. For example, I am using “C:\horizon\horizon-usage-script.ps1”
- Summary page, but make sure you check the box for Open the Properties dialog for this task as we want to make sure this task runs even if there’s not a logged in user –
- Change the radio button to “Run whether user is logged on or not” and press OK –
- UPDATE 2021May27 – if you are running Windows 2019 and have a tightly controlled Group Policy, you might need to run the task as the SYSTEM user
- It will then prompt your for credentials to save this task –
- Okay, now we are ready to run it!
Test Run and Expected Output
- Let’s try to test run our newly created task –
- We can see the task completes pretty quickly, about 2 seconds –
- Ah, we got the email! We can see the body with the URL to reset the highest count along with the attached usage.
- In the file, we can see in my lab environment I had a count of 2 for the NumConnectionsHigh. This is what I’d report under BizPortal/iAsset for my monthly usage.
- While the file was created in my directory –
As for the reset highest count, I am still evaluating all options and will be discussing this internally. I am hoping this is valuable for our VMware Cloud Providers and alleviating some of the operational reporting burden.
Again, big thanks to the vCommunity for the help. I had quite a bit of fun and continue to learn more from an automation/programming perspective.