AWS Public Sector Blog

Automating deployment of Amazon WorkSpaces from an Active Directory group

With the increase in remote work and education, government, education, and nonprofit organizations, are adopting virtual desktop solutions like Amazon WorkSpaces. Large-scale deployments of virtual desktop solutions can decrease administrative burden and save time. In this post, you can learn how to deploy Amazon WorkSpaces with less engineering effort by using a PowerShell script.

Amazon WorkSpaces automation simplifies the administrative effort of deploying new Amazon WorkSpaces to your Active Directory users. Executing this script, you can deploy dozens or thousands of WorkSpaces in a simple and guided manner. You can do this with either AWS provided bundles or custom bundles, which are template operating systems to deploy WorkSpaces to your users.

This post shows you how to:

  • Understand and validate the prerequisites necessary to run the PowerShell script
  • Execute the script and follow the guided prompts
  • Deploy Amazon WorkSpaces at scale
  • Review a log of deployments to confirm the deployment succeeded

Prerequisites

Make sure you meet the following requirements before getting started:

  • An Active Directory deployment containing a group to deploy Amazon WorkSpaces to:
  • A Directory or AD Connector registered in WorkSpaces
    • Make sure the subnets containing the directory or AD connector have enough free IP addresses for your WorkSpaces deployment
  • Run the script on a system joined to the Active Directory Domain that is being queried for user and group information
    • This can be on an Amazon EC2 instance, a WorkSpaces instance, or a domain-joined local computer
  • An AWS Identity and Access Management (IAM) user or role with permissions to query the Directory Services, WorkSpaces Bundles, and rights to create WorkSpaces
    • If using an AWS Identity and Access Management (AWS IAM) user, configure the PowerShell session to use your AWS IAM credentials
  • The Active Directory module for Windows PowerShell installed on the system executing the script
  • The AWS Tools for PowerShell installed on the system executing the script

Walk-through

Download and save the script to a location on the system configured to meet the prerequisites. Execute the script by typing “.\FILENAME.PS1” where FILENAME is the name you gave the downloaded file to begin the guided process (see Figure 1).

Automating WorkSpaces Figure 1

Figure 1

The script prompts for the path where the log file output is saved during WorkSpaces creation. Type a path or accept the default and press the enter key. If the path doesn’t exist it creates the folder for you.

AW Figure 2

Figure 2

This script takes an Active Directory group name as an input so the dialog in Figure 3 shows the properties of an example group named “VDI,” which contains four users. The script prompts for a group name and all enabled users in that group have a WorkSpace provisioned for them.

Figure 3

Figure 3

The script asks to enter a group name (spaces are acceptable) and the example group named “VDI” group is being chosen for deployment. The script queries the group to determine how many users it contains. This is an opportunity to confirm the quantity of WorkSpaces that are being created.

Figure 4

Figure 4

Next, the script prompts for what region the WorkSpaces are to be deployed in. The list in Figure 5 contains the regions where WorkSpaces are currently supported as of April 2020.

Figure 5

Figure 5

After selecting a region, the script queries the AWS account for Directories to which users could be deployed. Type the DirectoryId for the desired directory that the WorkSpaces will join.

Figure 6

Figure 6

The list of available bundles is queried and displayed with the custom bundles owned by the customer AWS account at the end of the list.

Figure 7

Figure 7

The custom bundle at the end of the list is being selected for deployment by entering the WorkSpaces BundleId.

The script then creates a WorkSpace for each of the users in the Active Directory group. If any WorkSpaces already exist or any error occurs, the output is recorded on the screen and in a log file in the location specified during script execution.

Figure 8

Figure 8

Figure 9 shows that three WorkSpaces are currently pending and one is already available as it was provisioned in a prior execution of the script. No modifications are made to previously existing WorkSpaces so you can run the script multiple times without impacting existing operations.

Figure 9

Figure 9

Finally, let’s review the log file, which was directed to store output in C:\temp path (Figure 10). This file is in comma separated value (CSV) format so it can be imported into outside tools for easy filtering. Note that the log shows that “scripteduser1” already had an existing WorkSpace so it was skipped and that three other WorkSpaces were created, which matches the above console status. If there were other errors they are recorded in this log, so it is a recommended final step after executing the script to briefly review the log for any errors.

Figure 10

Figure 10

Summary

In this post, you used PowerShell and a deployment script to deploy WorkSpaces for all members of an Active Directory group in a guided manner. You then reviewed the log file output to see useful information on the state of the automated WorkSpaces deployments.

Learn more about end user computing (EUC), Amazon WorkSpaces, and AWS in the public sector. Read other stories about end user computing on the AWS Public Sector Blog or the AWS Desktop and Application Streaming Blog.

Grant Joslyn

Grant Joslyn

Grant Joslyn is a solutions architect for US state and local government public sector team at Amazon Web Services (AWS). He specializes in end user compute and cloud automation. He provides technical and architectural guidance to customers building secure solutions on AWS. He is a subject matter expert and thought leader for strategic initiatives that help customers embrace DevOps practices.