13 Replies Latest reply on Apr 5, 2015 6:06 PM by esxi1979

    The bug in New-VIPermission and how to deal with it.

    Master

      Many of you have seen the bug in New-VIPermission that makes it impossible to create permissions for Active Directory Principals. The bug looks something like this:

      [vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal "VMWORLD\cshanklin"
      New-VIPermission : 12/7/2009 2:22:46 PM    New-VIPermission        Could not find VIAccount with name 'VMWORLD\cshanklin'.
      ... Remaining truncated for readability ...
      

       

      The source of the bug is that PowerCLI cannot correctly convert this principal into the type of object it needs, which is a VIAccount object. The workaround is to create the VIAccount object yourself. On PoshCode I've uploaded a script that will do just that. Download it and import the function into your session.

       

      You can use this code as follows:

      [vSphere PowerCLI] C:\> $account = New-VIAccount "VMWORLD\cshanklin"
      [vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal $account
      
      EntityId             Role                      Principal       IsGroup Prop
                                                                             agat
                                                                             e
      --------             ----                      ---------       ------- ----
      Folder-group-v58     Admin                     VMWORLD\csha... False   True
      

       

      =====

      Carter Shanklin

      Read the PowerCLI Blog
      [Follow me on Twitter|http://twitter.com/cshanklin]

       

      Message was edited by: c_shanklin

      Moved code to PoshCode to work around forum brokenness.

        • 1. Re: The bug in New-VIPermission and how to deal with it.
          maishsk Expert User Moderators vExpert

          Thanks for the work around -  but I cannot get it to work

           

          Unable to find type http://System.Reflection.BindingFlags: make sure

          that the assembly containing this type is loaded.

          At line:2 char:86

          +         http://System.Reflection.BindingFlags <<<< ::NonPublic -
          bor
          + CategoryInfo : InvalidOperation: (http://System.R...on.BindingFlags:String) [], RuntimeExcept
          ion
          + FullyQualifiedErrorId : TypeNotFound

          What am I missing?






          Maish

          Virtualization Architect & Systems Administrator

          http://technodrone.blogspot.com

          • 2. Re: The bug in New-VIPermission and how to deal with it.
            maishsk Expert User Moderators vExpert

            Never Mind - I figured it out - the code was garbled because of the forum software

             

            The flags should all be

            System.Reflection.BindingFlags

            - without all the http://......


            Maish

            Virtualization Architect & Systems Administrator

            http://technodrone.blogspot.com

            • 3. Re: The bug in New-VIPermission and how to deal with it.
              Master

              I moved the code to PoshCode to avoid the forum markup problems.

               

              =====

              Carter Shanklin

              Read the PowerCLI Blog
              [Follow me on Twitter|http://twitter.com/cshanklin]

              • 4. Re: The bug in New-VIPermission and how to deal with it.
                paetecsfb Novice

                How can you get this to assign a permission to the root datacenters folder (folder-group-d1)?  The folder returned with "Get-folder Datacenters".

                 

                I can get permissions to assign to datacenters and other folders, just not this one.  This is the error..

                 

                New-VIPermission : 12/9/2009 9:34:17 AM    New-VIPermission    5DED110D-C365-43

                BC-A781-9E425BC433F3    Object reference not set to an instance of an object.

                 

                 

                 

                 

                 

                Additionally, I can't get this to work with security groups, just users in the domain.  The error is:

                 

                 

                 

                New-VIPermission : 12/9/2009 9:50:31 AM    New-VIPermission    5DED110D-C365-43

                BC-A781-9E425BC433F3    The user or group named 'CONTOSO\VMware vCenter SG1' does not exist.

                • 5. Re: The bug in New-VIPermission and how to deal with it.
                  LucD Guru Community Warrior User Moderators vExpert

                  There seems to be another problem with this cmdlet and the Datacenters folder, see also Trying to assign user Admin permissions on Root Folder.

                   

                  When assigning a group the bypass script from that post can be slightly adapted to allow groups

                  $domain = <your-dominaname>
                  $groupname = <your-groupname>
                  $svcgroup = $domain + "\" + $groupname
                  
                  $folder = Get-Folder -Name <foldername>
                  $authMgr = Get-View AuthorizationManager
                  $perm = New-Object VMware.Vim.Permission
                  $perm.principal = $svcgroup
                  $perm.group = $true
                  $perm.propagate = $true
                  $perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId
                  $authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)
                  

                   

                  • 6. Re: The bug in New-VIPermission and how to deal with it.
                    esxi1979 Hot Shot

                    infact i got error

                     

                    The term 'New-VIAccount' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if

                    a path was included, verify that the path is correct and try again.

                     

                    I am using 5.5 powercli

                     

                    Please suggest

                    • 7. Re: The bug in New-VIPermission and how to deal with it.
                      esxi1979 Hot Shot

                      ok got the issue

                       

                       

                      function New-VIAccount($principal) {

                          $flags = `

                              [System.Reflection.BindingFlags]::NonPublic    -bor

                              [System.Reflection.BindingFlags]::Public       -bor

                              [System.Reflection.BindingFlags]::DeclaredOnly -bor

                              [System.Reflection.BindingFlags]::Instance

                       

                          $method = $defaultviserver.GetType().GetMethods($flags) |

                          where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

                       

                          $client = $method.Invoke($global:DefaultVIServer, $null)

                          Write-Output (New-Object  VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

                      }

                       

                       

                       

                       

                      but still got err

                       

                       

                      You cannot call a method on a null-valued expression.

                      At line:9 char:29

                      +     $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)

                          + CategoryInfo          : InvalidOperation: (Invoke:String) [], RuntimeException

                          + FullyQualifiedErrorId : InvokeMethodOnNull

                       

                      New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI

                      mpl.

                      At line:10 char:29

                      +     Write-Output (New-Object <<<<   VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

                          + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException

                          + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

                      • 8. Re: The bug in New-VIPermission and how to deal with it.
                        LucD Guru Community Warrior User Moderators vExpert

                        Are you sure there is an object in the $method variable ?

                        Shouldn't that be $global:defaultviserver.GetType().GetMethods($flags) ?

                        • 9. Re: The bug in New-VIPermission and how to deal with it.
                          esxi1979 Hot Shot

                          LucD i have no idea ... i just copied a code some ppl discussed for this cmdlet for 4.1 but look even now that bug exits ... all i am trying to do is add AD account (single user account) from AD in vcenter as admin to "root" folder

                           

                           

                          just like in GUI as given in  Add users in VMware vCenter &amp;#187; Adrian Costea&amp;#039;s blog

                          • 10. Re: The bug in New-VIPermission and how to deal with it.
                            esxi1979 Hot Shot

                            sadly below does not work

                             

                             

                            New-VIPermission -Role Admin -Principal <domain\id>

                            • 11. Re: The bug in New-VIPermission and how to deal with it.
                              esxi1979 Hot Shot

                              BTW i got same err

                               

                               

                              PowerCLI C:\> function New-VIAccount($principal) {

                              >>     $flags = `

                              >>         [System.Reflection.BindingFlags]::NonPublic    -bor

                              >>         [System.Reflection.BindingFlags]::Public       -bor

                              >>         [System.Reflection.BindingFlags]::DeclaredOnly -bor

                              >>         [System.Reflection.BindingFlags]::Instance

                              >>

                              >>       $global:defaultviserver.GetType().GetMethods($flags) |

                              >>     where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

                              >>

                              >>     $client = $method.Invoke($global:DefaultVIServer, $null)

                              >>     Write-Output (New-Object  VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

                              >> }

                              >>

                              PowerCLI C:\> $account = New-VIAccount "xxx\xxx"

                              You cannot call a method on a null-valued expression.

                              At line:9 char:29

                              +     $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)

                                  + CategoryInfo          : InvalidOperation: (Invoke:String) [], RuntimeException

                                  + FullyQualifiedErrorId : InvokeMethodOnNull

                               

                              New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI

                              mpl.

                              At line:10 char:29

                              +     Write-Output (New-Object <<<<   VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

                                  + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException

                                  + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

                               

                              PowerCLI C:\>

                              • 12. Re: The bug in New-VIPermission and how to deal with it.
                                LucD Guru Community Warrior User Moderators vExpert

                                It looks as if you forgot to assign the returned object to the $method variable

                                • 13. Re: The bug in New-VIPermission and how to deal with it.
                                  esxi1979 Hot Shot

                                  someone mentioned below & it worked now, ie bug fixed  @  4.1 build 264274  - the 4.1 release

                                   

                                   

                                  ==========================================================================

                                  Hi Rob,

                                   

                                   

                                  The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274  - the 4.1 release

                                   

                                   

                                  All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root: 

                                   

                                   

                                   

                                   

                                   

                                   New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters') 

                                   

                                   

                                   

                                   

                                   

                                  Thanks,

                                   

                                   

                                  Gospodin!

                                   

                                  ==========================================================================