Hi All,
If anyone can help me with a powercli script to create a new local admin account on all ESX and ESXi hosts in the vcenter , create a new role called admin and provide all access except root. This shoulb be across a virtual center.
Much appreciated for the help.
Regards,
Mellvin
I suspect you posted your question to the wrong thread :smileygrin:
That requires just a minor change to the previous script in fact.
Something like this
$groupName = "group"
$accountName = "user"
$accountPswd = "password"
$accountDescription = "A user"
$esxlist = Get-VMHost
foreach($esx in $esxlist){
Connect-VIServer -Server $esx -User root -Password "password"
Try {
Get-VMHostAccount -Id $groupName -Group -ErrorAction Stop | Out-Null
}
Catch {
New-VMHostAccount -Id $groupName -GroupAccount | Out-Null
}
$rootFolder = Get-Folder -Name ha-folder-root
Try{
$account = Get-VMHostAccount -Id $accountName -ErrorAction Stop |
Set-VMHostAccount -Password $accountPswd -Description $accountDescription -AssignGroups $groupName
}
Catch{
$account = New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGroups $groupName
}
$rootFolder = Get-Folder -Name ha-folder-root
New-VIPermission -Entity $rootFolder -Principal $account -Role admin
Disconnect-VIServer -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Not sure what you mean with "...all access except root".
You might want to have a look at Re: ESXi Local user Update or Add which is something similar to what you want I guess.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
Thanks for your replu Luc.
I am using ESXi 5.0. I am successfully able to create a new account using the above script. But this account is added to "users" default group. I want a new group created named "admin" and provide this account access to esxi through vsphere client and basic SSH access. Can this be done?
I see, then you would first need to test if the group "Admin" exists, and if not create it (following the same Try-Catch logic as for the user).
With the New-VMHostAccount you cam also create a group, by using the GroupAccount switch.
Let me know if you need some help in adapting the script that way ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
In some hosts I am able to see admin group in some am not. Please help me in adapting the try-catch logic and provide the script.
Thank you so much for the help.
regards,
Mellvin
Try something like this
$groupName = "group"
$accountName = "user"
$accountPswd = "password"
$accountDescription = "A user"
$esxlist = Get-VMHost
foreach($esx in $esxlist){
Connect-VIServer -Server $esx -User root -Password "password"
Try {
Get-VMHostAccount -Id $groupName -Group -ErrorAction Stop | Out-Null
}
Catch {
New-VMHostAccount -Id $groupName -GroupAccount | Out-Null
}
$rootFolder = Get-Folder -Name ha-folder-root
Try{
Get-VMHostAccount -Id $accountName -ErrorAction Stop |
Set-VMHostAccount -Password $accountPswd -Description $accountDescription -AssignGroups $groupName | Out-Null
}
Catch{
New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGroups $groupName | Out-Null
}
Disconnect-VIServer -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I suspect you posted your question to the wrong thread :smileygrin:
That requires just a minor change to the previous script in fact.
Something like this
$groupName = "group"
$accountName = "user"
$accountPswd = "password"
$accountDescription = "A user"
$esxlist = Get-VMHost
foreach($esx in $esxlist){
Connect-VIServer -Server $esx -User root -Password "password"
Try {
Get-VMHostAccount -Id $groupName -Group -ErrorAction Stop | Out-Null
}
Catch {
New-VMHostAccount -Id $groupName -GroupAccount | Out-Null
}
$rootFolder = Get-Folder -Name ha-folder-root
Try{
$account = Get-VMHostAccount -Id $accountName -ErrorAction Stop |
Set-VMHostAccount -Password $accountPswd -Description $accountDescription -AssignGroups $groupName
}
Catch{
$account = New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGroups $groupName
}
$rootFolder = Get-Folder -Name ha-folder-root
New-VIPermission -Entity $rootFolder -Principal $account -Role admin
Disconnect-VIServer -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
sorry for the wrong thread. Script is not able to add administrator role to the group created. getting the following error
New-VIPermission : Cannot validate argument on parameter 'Principal'. The argum
ent is null or empty. Supply an argument that is not null or empty and then try
the command again.
At C:\users\ramchi\desktop\create.ps1:27 char:52
+ New-VIPermission -Entity $rootFolder -Principal <<<< $account -Role admi
n
+ CategoryInfo : InvalidData: (:) [New-VIPermission], ParameterBi
ndingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom
ation.ViCore.Cmdlets.Commands.PermissionManagement.NewVIPermission
Disconnect-VIServer : 2/12/2014 6:49:31 AM Disconnect-VIServer PowerC
LI is currently connected to more than one servers. Specify which server you wa
nt to disconnect or use the "*" wildcard to disconnect all.
The error seems to indicate that the $account variable is empty.
Did the account already exist on that ESXi ?
If not, was the account (and group) created ?
Can you eventually do a test with a single ESXi, where you could test the different configurations
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I deleted the already created account and ran this script. Account is getting created and also the new group. Account is added to the group. But permissions to add the account/group to administrator role is not getting created
my account name is not coming up here
Did you do a refresh on that page ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes I did. No luck. How do I run this to a particular host. actually i am running in a test environment to check the script, where my root password will work only on one host and remaining hosts have diff root password.
Change this line
$esxlist = Get-VMHost
to
$esxlist = Get-VMHost -Name MyEsx
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Finally, It is working on that ESX host now. Thanks a lot for your effort on this. I am always your powercli Fan.
Will it work on my production vcenter? I hope those errors were due to bad root password attempts in other esx hosts.
Regards,
Raj Mellvin
and I think principal entity is getting more than one value if we run in that loop and was not able to add to admin role
Hi Luc,
When I give $esxlist = Get-VMHost -Name MyEsx it is working. But not working with $esxlist = Get-VMHost. Think looping problem it says not connected to esx host.
Error
Connect-VIServer : 2/14/2014 9:18:45 AM Connect-VIServer Cannot compl
ete login due to an incorrect user name or password.
At C:\users\ramchi\desktop\create.ps1:8 char:21
+ Connect-VIServer <<<< -Server $esx -User root -Password "XXX"
+ CategoryInfo : NotSpecified: (:) [Connect-VIServer], InvalidLog
in
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_Excep
tion,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
New-VMHostAccount : 2/14/2014 9:18:45 AM New-VMHostAccount Local grou
p accounts are not supported since ESX version 5.1
At C:\users\ramchi\desktop\create.ps1:14 char:24
+ New-VMHostAccount <<<< -Id $groupName -GroupAccount | Out-Null
+ CategoryInfo : InvalidOperation: (:) [New-VMHostAccount], VimEx
ception
+ FullyQualifiedErrorId : Client20_SystemManagementServiceImpl_TryValidate
EsxVersionSupportsGroups_Failed,VMware.VimAutomation.ViCore.Cmdlets.Comman
ds.Host.NewVMHostAccount
Get-Folder : 2/14/2014 9:18:45 AM Get-Folder Folder with name 'ha-fol
der-root' was not found using the specified filter(s).
At C:\users\ramchi\desktop\create.ps1:17 char:29
+ $rootFolder = Get-Folder <<<< -Name ha-folder-root
+ CategoryInfo : ObjectNotFound: (:) [Get-Folder], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimA
utomation.ViCore.Cmdlets.Commands.GetFolder
New-VMHostAccount : 2/14/2014 9:18:45 AM New-VMHostAccount Local grou
p accounts are not supported since ESX version 5.1
At C:\users\ramchi\desktop\create.ps1:23 char:37
+ $account = New-VMHostAccount <<<< -Id $accountName -Password $accoun
tPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGr
oups $groupName
+ CategoryInfo : InvalidOperation: (:) [New-VMHostAccount], VimEx
ception
+ FullyQualifiedErrorId : Client20_SystemManagementServiceImpl_TryValidate
EsxVersionSupportsGroups_Failed,VMware.VimAutomation.ViCore.Cmdlets.Comman
ds.Host.NewVMHostAccount
Get-Folder : 2/14/2014 9:18:45 AM Get-Folder Folder with name 'ha-fol
der-root' was not found using the specified filter(s).
At C:\users\ramchi\desktop\create.ps1:26 char:29
+ $rootFolder = Get-Folder <<<< -Name ha-folder-root
+ CategoryInfo : ObjectNotFound: (:) [Get-Folder], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimA
utomation.ViCore.Cmdlets.Commands.GetFolder
New-VIPermission : Cannot validate argument on parameter 'Entity'. The argument
on the first line is saying authentication issue. Try with correct username and password
Connect-VIServer : 2/14/2014 9:18:45 AM Connect-VIServer Cannot compl
ete login due to an incorrect user name or password.
At C:\users\ramchi\desktop\create.ps1:8 char:21
+ Connect-VIServer <<<< -Server $esx -User root -Password "XXX"
+ CategoryInfo : NotSpecified: (:) [Connect-VIServer], InvalidLog
in
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_Excep
tion,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer
I suspect the root password is not correct on some of the ESXi servers.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You are right Luc. Some of the esx hosts have different esx root passwords.
It is working in 5.0. But 5.1 is not supporting adding groups to permissions. So need to add only accounts to permissions.