Many of you have seen the bug in New-VIPermission that makes it impossible to create permissions for Active Directory Principals. The bug looks something like this:
[vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal "VMWORLD\cshanklin" New-VIPermission : 12/7/2009 2:22:46 PM New-VIPermission Could not find VIAccount with name 'VMWORLD\cshanklin'. ... Remaining truncated for readability ...
The source of the bug is that PowerCLI cannot correctly convert this principal into the type of object it needs, which is a VIAccount object. The workaround is to create the VIAccount object yourself. On PoshCode I've uploaded a script that will do just that. Download it and import the function into your session.
You can use this code as follows:
[vSphere PowerCLI] C:\> $account = New-VIAccount "VMWORLD\cshanklin" [vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal $account EntityId Role Principal IsGroup Prop agat e -------- ---- --------- ------- ---- Folder-group-v58 Admin VMWORLD\csha... False True
=====
Carter Shanklin
Read the PowerCLI Blog
[Follow me on Twitter|http://twitter.com/cshanklin]
Message was edited by: c_shanklin
Moved code to PoshCode to work around forum brokenness.
Thanks for the work around - but I cannot get it to work
Unable to find type http://System.Reflection.BindingFlags: make sure
that the assembly containing this type is loaded.
At line:2 char:86
+ http://System.Reflection.BindingFlags <<<< ::NonPublic -
bor
+ CategoryInfo : InvalidOperation: (http://System.R...on.BindingFlags:String) [], RuntimeExcept
ion
+ FullyQualifiedErrorId : TypeNotFound
What am I missing?
Maish
Virtualization Architect & Systems Administrator
Never Mind - I figured it out - the code was garbled because of the forum software
The flags should all be
System.Reflection.BindingFlags
- without all the http://..
Maish
Virtualization Architect & Systems Administrator
I moved the code to PoshCode to avoid the forum markup problems.
=====
Carter Shanklin
Read the PowerCLI Blog
[Follow me on Twitter|http://twitter.com/cshanklin]
How can you get this to assign a permission to the root datacenters folder (folder-group-d1)? The folder returned with "Get-folder Datacenters".
I can get permissions to assign to datacenters and other folders, just not this one. This is the error..
New-VIPermission : 12/9/2009 9:34:17 AM New-VIPermission 5DED110D-C365-43
BC-A781-9E425BC433F3 Object reference not set to an instance of an object.
Additionally, I can't get this to work with security groups, just users in the domain. The error is:
New-VIPermission : 12/9/2009 9:50:31 AM New-VIPermission 5DED110D-C365-43
BC-A781-9E425BC433F3 The user or group named 'CONTOSO\VMware vCenter SG1' does not exist.
There seems to be another problem with this cmdlet and the Datacenters folder, see also .
When assigning a group the bypass script from that post can be slightly adapted to allow groups
$domain = <your-dominaname> $groupname = <your-groupname> $svcgroup = $domain + "\" + $groupname $folder = Get-Folder -Name <foldername> $authMgr = Get-View AuthorizationManager $perm = New-Object VMware.Vim.Permission $perm.principal = $svcgroup $perm.group = $true $perm.propagate = $true $perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId $authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
infact i got error
The term 'New-VIAccount' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again.
I am using 5.5 powercli
Please suggest
ok got the issue
function New-VIAccount($principal) {
$flags = `
[System.Reflection.BindingFlags]::NonPublic -bor
[System.Reflection.BindingFlags]::Public -bor
[System.Reflection.BindingFlags]::DeclaredOnly -bor
[System.Reflection.BindingFlags]::Instance
$method = $defaultviserver.GetType().GetMethods($flags) |
where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }
$client = $method.Invoke($global:DefaultVIServer, $null)
Write-Output (New-Object VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl -ArgumentList $principal, "", $client)
}
but still got err
You cannot call a method on a null-valued expression.
At line:9 char:29
+ $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)
+ CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI
mpl.
At line:10 char:29
+ Write-Output (New-Object <<<< VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl -ArgumentList $principal, "", $client)
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
Are you sure there is an object in the $method variable ?
Shouldn't that be $global:defaultviserver.GetType().GetMethods($flags) ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD i have no idea ... i just copied a code some ppl discussed for this cmdlet for 4.1 but look even now that bug exits ... all i am trying to do is add AD account (single user account) from AD in vcenter as admin to "root" folder
just like in GUI as given in Add users in VMware vCenter &#187; Adrian Costea&#039;s blog
sadly below does not work
New-VIPermission -Role Admin -Principal <domain\id>
BTW i got same err
PowerCLI C:\> function New-VIAccount($principal) {
>> $flags = `
>> [System.Reflection.BindingFlags]::NonPublic -bor
>> [System.Reflection.BindingFlags]::Public -bor
>> [System.Reflection.BindingFlags]::DeclaredOnly -bor
>> [System.Reflection.BindingFlags]::Instance
>>
>> $global:defaultviserver.GetType().GetMethods($flags) |
>> where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }
>>
>> $client = $method.Invoke($global:DefaultVIServer, $null)
>> Write-Output (New-Object VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl -ArgumentList $principal, "", $client)
>> }
>>
PowerCLI C:\> $account = New-VIAccount "xxx\xxx"
You cannot call a method on a null-valued expression.
At line:9 char:29
+ $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)
+ CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI
mpl.
At line:10 char:29
+ Write-Output (New-Object <<<< VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl -ArgumentList $principal, "", $client)
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
PowerCLI C:\>
It looks as if you forgot to assign the returned object to the $method variable
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
someone mentioned below & it worked now, ie bug fixed @ 4.1 build 264274 - the 4.1 release
==========================================================================
Hi Rob,
The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274 - the 4.1 release
All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root:
New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters')
Thanks,
Gospodin!
==========================================================================