Product Documentation


Oct 12, 2015




The Delegated Administration Service PowerShell snap-in provides administrative functions for the Delegated Administration Service.


All commands in this snap-in are prefixed with 'Admin'.


The Delegated Administration Service PowerShell snap-in enables both local and remote administration of the Delegated Administration Service.

The Delegated Administration Service (or DAS for short) stores information about Citrix administrators and the rights they have. Services in the XenDesktop deployment use the DAS to determine whether a particular user has the privilege to perform an operation or not.

The snap-in provides storage and configuration of these entities:


        Each administrator object represents an individual person or a group 
        of people identified by their Active Directory account. 
        Administrators can be enabled and disabled. 
        The effective rights that a user has is the superset of any rights 
        that they have by looking at their Active Directory group membership. 
        Disabled administrator entries are ignored for this calculation. 
        Once a site is setup, there must always be a full administrator and 
        the Delegated Administration snap-in rejects requests to remove or 
        disable the last full administrator. 


        A role represents a job function. That is, anyone with a given role 
        is expected to be able to use or perform the tasks, wizards, and 
        actions associated with that role. Administrators may have multiple 
        roles for a particular site. 
        Some roles are built-in, and some editions of the product allow custom 
        roles to be created with different combinations of permissions. 


        Scopes represent a collection of objects, and are used to group 
        objects for administrative purposes in a way that is relevant to the 
        organisation. They can be used to represent both hierarchical and 
        non-hierarchical relationships. 
        Objects can exist in multiple scopes at once. You may find it 
        easier to think of scopes as labels, or a non-exclusive grouping such as 
        a play-list. 
        All objects are implicitly in the built-in 'All' scope. 
        Some objects are not scoped, and access to them is through either the 
        'All' scope or indirectly through a scoped object. For example 
        sessions are not directly scoped but can be accessed using the 
        scope of the desktop group. 
        The DAS stores information about scopes, but the mapping between 
        scopes and objects is stored and updated using the PowerShell 
        snap-ins of each corresponding service. For example, Delivery Group 
        scopes are managed using the Broker PowerShell snap-in. 


        Rights determine what an administrator can do and where they can do 
        it. They are expressed as a number of <role, scope> pairs associated 
        with each administrator. 
        To gain access to any particular object, a person must match an 
        administrator object that has an appropriate right that allows the 
        required operation in a scope that the object is a member of. 


        Each task, wizard or action in the Citrix Studio or Director consoles 
        represents a unit of functionality that an administrator can perform. 
        Permissions are expressed at a high level and generally correspond 
        directly to the labels in the consoles. For example: "Edit catalog", 
        or "Create delivery group". 

Permission groups:

        Permissions are grouped into related functionality when displayed 
        by the console. 


        Operations are the indivisible unit of functionality that each 
        XenDesktop service can perform, and usually correspond to 
        individual cmdlets. Internally, each permission requires a number 
        of operations to be performed, possibly by different services.