I am looking to add some local users and I want to see if this can be done with powershell. I am completely new to powershell so I am looking for some direction. Any help will be appreciated.
Thanks
Where do you want to add these local users?
To the ESX servers or to servers running as guests ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Do you have a virtual center server or not? The answer affects how you work with multiple servers (but it can be done either way).
Author of the upcoming book: Managing VMware Infrastructure with PowerShell
Co-Host, PowerScripting Podcast (http://powerscripting.net)
If you are looking to add local users to ESX servers, there is a cmdlets called 'New-VMHostAccount' that can help you do that.
Unfortunately there is no cmdlet for VC.
You could probably use something like Quest's Active Directory cmdlets to, for lack of a better way of describing it, "add users to VirtualCenter", assuming that you use Active Directory with VC.
Hello,
Thanks for all the replies, yes we use virtual center, yes I use AD authentication to virtual center and yes we authenticate to the ESX servers using kerberos. I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add. I also need to add them to the sudoers file.
I think your answers will help get me going but any more suggestions are most definitely welcome.
I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add.
Try something like this (not tested):
param ( $Server, $UserID, $Password = "t3mpP@ss", $Group = @("adm", "floppy", "gopher") ) $conn = connect-viserver -server $esx # you'll be prompted to login $desc = "ESX Server Administrator Account" $UserID | ForEach-Object { new-vmhostaccount -server $conn -Id $_ -Description $Desc -Password $Password ` -AssignGroups $Group }
Save as a file (e.g. makeAcct.ps1) and use like so:
PS > $esx = "server1", "server2", "server3" PS > $users = "jsmith", "bsmith", "ksmith" PS > .\makeAcct.ps1 -server $esx -userID $users
You may want to change those groups.
Author of the upcoming book: Managing VMware Infrastructure with PowerShell
Co-Host, PowerScripting Podcast (http://powerscripting.net)
You'll need to use '-AssignGroups $Group' and choose a sensible default for that.
Author of the upcoming book: Managing VMware Infrastructure with PowerShell
Co-Host, PowerScripting Podcast (http://powerscripting.net)
Note that you don't have to do it over...use Get-VMHostAccount to grab the user accounts you have created, then pipe to Set-VMHostAccount and use the AssignGroups parameter as you would with New-VMHostAccount.
Get-VMHostAccount -id jsmith | set-vmhostaccount -assigngroups @("gopher", "ftp") # don't use these groups 🙂
Author of the upcoming book: Managing VMware Infrastructure with PowerShell
Co-Host, PowerScripting Podcast (http://powerscripting.net)
I don't quiet understand.
When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.
No default shell as per line below from /etc/passwd.
newuser:x:502:501::/home/newuser:/bin/false
As I understand it needs to be
newuser:x:502:501::/home/newuser:/bin/bash
Thanks for your help
When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.
No default shell as per line below from /etc/passwd.
Oh! I get it now. Hmm...that's a good one...
I'm gonna make a snap judgement and say that this may not be doable
using polite conventional means. I mean, by design, you would not
normally give your ESX users shell access, no matter their level of
permission on the host server itself. That is sort of crossing the
application boundary over to the COS (console OS). It is entirely
possible that this is not doable from the VI SDK, and hence, not
/easy/ from PowerShell.
Didn't say not possible though. Let's hear a couple more opinions on
the VI SDK's abilities before I go down the no-vi-sdk route.
--
Author, Tech Prosaic blog (http://halr9000.com)
Webmaster, Psi (http://psi-im.org)
Community Director, PowerShellCommunity.org
Co-host, PowerScripting Podcast (http://powerscripting.net)
Follow me on Twitter: http://twitter.com/halr9000
I should have mentioned this is only for top level ESX admins.
There are still lots of things things you can't do through the VC client.
We prefer our admins to log in with there own accounts and su to root if needed.
We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.
There are other ways I can do this but I thought I'd give powershell a go.
Thanks again
There are other ways I can do this but I thought I'd give powershell a go.
Well, that's certainly what this forum is for. It's just that if it
cannot be done via the VI SDK then its gets ugly.
I should have mentioned this is only for top level ESX admins.
Oh, I don't care what you do. I was just making sure that you did
recognize the distinction betwixt COS and ESX admins.
There are still lots of things things you can't do through the VC client.
You mind starting a new thread with this list of things? It would be
a good seed for new scripts for others to write.
We prefer our admins to log in with there own accounts and su to root if needed.
We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.
Well, we can't have you doing it that way, that's just silly.
Step 1. Download plink from the putty project
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and
put it in your path.
Step 2. Make a mess...
This assumes that your ESX server namess are resolvable via DNS.
$user = "root" $pass = "pass" # example sed cmd only...it'll enable shell access for *all* users $cmd = "sed -i 's/\/bin\/false/\/bin\/false/g' /etc/passwd" Get-VMHost | ForEach-Object { plink -batch -pw $pass "$user@$( $_.Name )" $cmd }
Now is the time whre someone else writes your sed command--I'm not
that skilled at those. You'll may want to make a loop for each user,
or you might for example just search for all lines which contain a
certain group (e.g. wheel) and enable shell on those.
-hal
Looks like something we left out. Can you try this as a temporary measure:
function Create-ShellUser { param($id, $password=$null, $description=$null, $posixId=$null) $si = get-view serviceinstance $accountManager = get-view $si.Content.AccountManager $as = new-object VMware.Vim.HostPosixAccountSpec $as.id = $id $as.password = $password $as.description = $description $as.shellAccess = $true $as.posixId = $posixId $accountManager.CreateUser($as) }
Sample usage: create-shelluser -id rewt -password pass
Note that you need to connect directly to ESX to make this work, it seems to be a quirk of the underlying API.