Change root password on all (or some) vSphere hosts

Version 4

    I created this script because I was surprised I couldn't find any similar solution online, and our current password management solution (Cyber-Ark Password Vault) can't manage ESXi root passwords without a bunch of hacking. This is meant to be an interactive script, that I personally will be running every quarter. This script:

    • prompts you for the old password

    • prompts you for the new password

    • prompts you for the vCenter server name

    • prompts you for vCenter credentials

    • Queries vCenter for all hosts that you wish. See "Host selection section" in the middle of the script to tweak what hosts it may find

    • Disconnects from vCenter

    • Connects to each host individually and changes the root password


    (Update: Apparently I wasn't searching well before.  I found a couple other similar scripts.  I'll leave this here just because!)


    (Update 2: Attaching script file as well)


    #Read in old passwords, masked
    $oldpw = read-host -prompt "Enter the current root password" -AsSecureString
    $newpw = read-host -prompt "Enter the desired new root password" -AsSecureString
    #Decrypting for actual use
    $oldpw = [http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::PtrToStringAuto([http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::SecureStringToBSTR($oldpw))
    $newpw = [http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::PtrToStringAuto([http://System.Runtime.InteropServices.marshal|http://System.Runtime.InteropServices.marshal]::SecureStringToBSTR($newpw))
    #Get list of ESXi hosts
    $vCenter = Read-host -prompt "Enter the vCenter hostname:"
    write-host "Prompting for credentials and connecting to vCenter..."
    connect-viserver -server $vCenter -Credential (Get-Credential)
    $hosts = @()
    write-host "Querying for ESXi hosts..."
    # Host selection section
    # Uncomment only one Get-VMHost line
    #Only ESXi hosts
    Get-VMHost | sort | Where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"} | Get-View | Where {$_.Summary.Config.Product.Name -match "i"} | % { $hosts+= $_.Name }
    #All hosts
    #Get-VMHost | sort | Where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"} | % { $hosts+= $_.Name }
    #All vSphere hosts (>= version 4.0.0)
    #Get-VMHost | sort | Where {($_.State -eq "Connected" -or $_.State -eq "Maintenance") -and $_.version -ge '4.0.0'} | % { $hosts+= $_.Name }
    Disconnect-VIServer -confirm:$false
    #Connect to each ESXi host and change pw
    foreach ($vmhost in $hosts) {
        write-host "Connecting to $vmhost..."
        connect-viserver -server $vmhost -user root -password "$oldpw"
        write-host "Changing root password on $vmhost..."
        Set-VMHostAccount -UserAccount root -password "$newpw"
        Disconnect-VIServer -confirm:$false