Change root password on all (or some) vSphere hosts

Version 4

    I created this script because I was surprised I couldn't find any similar solution online, and our current password management solution (Cyber-Ark Password Vault) can't manage ESXi root passwords without a bunch of hacking. This is meant to be an interactive script, that I personally will be running every quarter. This script:

    • prompts you for the old password

    • prompts you for the new password

    • prompts you for the vCenter server name

    • prompts you for vCenter credentials

    • Queries vCenter for all hosts that you wish. See "Host selection section" in the middle of the script to tweak what hosts it may find

    • Disconnects from vCenter

    • Connects to each host individually and changes the root password

     

    (Update: Apparently I wasn't searching well before.  I found a couple other similar scripts.  I'll leave this here just because!)

    http://communities.vmware.com/thread/172220

    http://communities.vmware.com/thread/272863

     

    (Update 2: Attaching script file as well)

     

    #Read in old passwords, masked
    $oldpw = read-host -prompt "Enter the current root password" -AsSecureString
    $newpw = read-host -prompt "Enter the desired new root password" -AsSecureString
    #Decrypting for actual use
    $oldpw = [http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::PtrToStringAuto([http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::SecureStringToBSTR($oldpw))
    $newpw = [http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::PtrToStringAuto([http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::SecureStringToBSTR($newpw))
    
    #Get list of ESXi hosts
    $vCenter = Read-host -prompt "Enter the vCenter hostname:"
    write-host "Prompting for credentials and connecting to vCenter..."
    connect-viserver -server $vCenter -Credential (Get-Credential)
    $hosts = @()
    write-host "Querying for ESXi hosts..."
    
    
    #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    # Host selection section
    # Uncomment only one Get-VMHost line
    #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    
    #Only ESXi hosts
    Get-VMHost | sort | Where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"} | Get-View | Where {$_.Summary.Config.Product.Name -match "i"} | % { $hosts+= $_.Name }
    #All hosts
    #Get-VMHost | sort | Where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"} | % { $hosts+= $_.Name }
    #All vSphere hosts (>= version 4.0.0)
    #Get-VMHost | sort | Where {($_.State -eq "Connected" -or $_.State -eq "Maintenance") -and $_.version -ge '4.0.0'} | % { $hosts+= $_.Name }
    
    Disconnect-VIServer -confirm:$false
    
    #Connect to each ESXi host and change pw
    foreach ($vmhost in $hosts) {
        write-host "Connecting to $vmhost..."
        connect-viserver -server $vmhost -user root -password "$oldpw"
        write-host "Changing root password on $vmhost..."
        Set-VMHostAccount -UserAccount root -password "$newpw"
        Disconnect-VIServer -confirm:$false
    }