VMware Cloud Community
admin
Immortal
Immortal
‎12-07-2009 02:33 PM

The bug in New-VIPermission and how to deal with it.

Many of you have seen the bug in New-VIPermission that makes it impossible to create permissions for Active Directory Principals. The bug looks something like this:

[vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal "VMWORLD\cshanklin"
New-VIPermission : 12/7/2009 2:22:46 PM    New-VIPermission        Could not find VIAccount with name 'VMWORLD\cshanklin'.
... Remaining truncated for readability ...

The source of the bug is that PowerCLI cannot correctly convert this principal into the type of object it needs, which is a VIAccount object. The workaround is to create the VIAccount object yourself. On PoshCode I've uploaded a script that will do just that. Download it and import the function into your session.

You can use this code as follows:

[vSphere PowerCLI] C:\> $account = New-VIAccount "VMWORLD\cshanklin"
[vSphere PowerCLI] C:\> Get-Folder carter-2 | New-VIPermission -Role Admin -Principal $account

EntityId             Role                      Principal       IsGroup Prop
                                                                       agat
                                                                       e
--------             ----                      ---------       ------- ----
Folder-group-v58     Admin                     VMWORLD\csha... False   True

=====

Carter Shanklin

Read the PowerCLI Blog
[Follow me on Twitter|http://twitter.com/cshanklin]

Message was edited by: c_shanklin

Moved code to PoshCode to work around forum brokenness.

0 Kudos
13 Replies
maishsk
Expert
Expert
‎12-08-2009 03:38 AM

Thanks for the work around - but I cannot get it to work

Unable to find type http://System.Reflection.BindingFlags: make sure

that the assembly containing this type is loaded.

At line:2 char:86

+ http://System.Reflection.BindingFlags <<<< ::NonPublic -
bor
+ CategoryInfo : InvalidOperation: (http://System.R...on.BindingFlags:String) [], RuntimeExcept
ion
+ FullyQualifiedErrorId : TypeNotFound

What am I missing?






Maish

Virtualization Architect & Systems Administrator

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
0 Kudos
maishsk
Expert
Expert
‎12-08-2009 04:48 AM

Never Mind - I figured it out - the code was garbled because of the forum software

The flags should all be

System.Reflection.BindingFlags

- without all the http://..


Maish

Virtualization Architect & Systems Administrator

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
0 Kudos
admin
Immortal
Immortal
‎12-08-2009 09:28 PM

I moved the code to PoshCode to avoid the forum markup problems.

=====

Carter Shanklin

Read the PowerCLI Blog
[Follow me on Twitter|http://twitter.com/cshanklin]

0 Kudos
paetecsfb
Enthusiast
Enthusiast
‎12-09-2009 06:42 AM

How can you get this to assign a permission to the root datacenters folder (folder-group-d1)? The folder returned with "Get-folder Datacenters".

I can get permissions to assign to datacenters and other folders, just not this one. This is the error..

New-VIPermission : 12/9/2009 9:34:17 AM New-VIPermission 5DED110D-C365-43

BC-A781-9E425BC433F3 Object reference not set to an instance of an object.

Additionally, I can't get this to work with security groups, just users in the domain. The error is:

New-VIPermission : 12/9/2009 9:50:31 AM New-VIPermission 5DED110D-C365-43

BC-A781-9E425BC433F3 The user or group named 'CONTOSO\VMware vCenter SG1' does not exist.

0 Kudos
LucD
Leadership
Leadership
‎12-25-2009 03:22 AM

There seems to be another problem with this cmdlet and the Datacenters folder, see also .

When assigning a group the bypass script from that post can be slightly adapted to allow groups

$domain = <your-dominaname>
$groupname = <your-groupname>
$svcgroup = $domain + "\" + $groupname

$folder = Get-Folder -Name <foldername>
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.principal = $svcgroup
$perm.group = $true
$perm.propagate = $true
$perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId
$authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
esxi1979
Expert
Expert
‎04-04-2015 02:13 PM

infact i got error

The term 'New-VIAccount' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if

a path was included, verify that the path is correct and try again.

I am using 5.5 powercli

Please suggest

0 Kudos
esxi1979
Expert
Expert
‎04-04-2015 02:17 PM

ok got the issue

function New-VIAccount($principal) {

    $flags = `

        [System.Reflection.BindingFlags]::NonPublic    -bor

        [System.Reflection.BindingFlags]::Public       -bor

        [System.Reflection.BindingFlags]::DeclaredOnly -bor

        [System.Reflection.BindingFlags]::Instance

    $method = $defaultviserver.GetType().GetMethods($flags) |

    where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

    $client = $method.Invoke($global:DefaultVIServer, $null)

    Write-Output (New-Object  VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

}

but still got err

You cannot call a method on a null-valued expression.

At line:9 char:29

+     $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)

    + CategoryInfo          : InvalidOperation: (Invoke:String) [], RuntimeException

    + FullyQualifiedErrorId : InvokeMethodOnNull

New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI

mpl.

At line:10 char:29

+     Write-Output (New-Object <<<<   VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

    + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException

    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

0 Kudos
LucD
Leadership
Leadership
‎04-04-2015 04:31 PM

Are you sure there is an object in the $method variable ?

Shouldn't that be $global:defaultviserver.GetType().GetMethods($flags) ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
esxi1979
Expert
Expert
‎04-04-2015 05:03 PM

LucD i have no idea ... i just copied a code some ppl discussed for this cmdlet for 4.1 but look even now that bug exits ... all i am trying to do is add AD account (single user account) from AD in vcenter as admin to "root" folder

just like in GUI as given in  Add users in VMware vCenter &amp;#187; Adrian Costea&amp;#039;s blog

0 Kudos
esxi1979
Expert
Expert
‎04-04-2015 05:04 PM

sadly below does not work

New-VIPermission -Role Admin -Principal <domain\id>

0 Kudos
esxi1979
Expert
Expert
‎04-04-2015 05:06 PM

BTW i got same err

PowerCLI C:\> function New-VIAccount($principal) {

>>     $flags = `

>>         [System.Reflection.BindingFlags]::NonPublic    -bor

>>         [System.Reflection.BindingFlags]::Public       -bor

>>         [System.Reflection.BindingFlags]::DeclaredOnly -bor

>>         [System.Reflection.BindingFlags]::Instance

>>

>>       $global:defaultviserver.GetType().GetMethods($flags) |

>>     where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

>>

>>     $client = $method.Invoke($global:DefaultVIServer, $null)

>>     Write-Output (New-Object  VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

>> }

>>

PowerCLI C:\> $account = New-VIAccount "xxx\xxx"

You cannot call a method on a null-valued expression.

At line:9 char:29

+     $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)

    + CategoryInfo          : InvalidOperation: (Invoke:String) [], RuntimeException

    + FullyQualifiedErrorId : InvokeMethodOnNull

New-Object : Constructor not found. Cannot find an appropriate constructor for type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountI

mpl.

At line:10 char:29

+     Write-Output (New-Object <<<<   VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl  -ArgumentList $principal, "", $client)

    + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException

    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

PowerCLI C:\>

0 Kudos
LucD
Leadership
Leadership
‎04-05-2015 07:30 AM

It looks as if you forgot to assign the returned object to the $method variable


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
esxi1979
Expert
Expert
‎04-05-2015 06:06 PM

someone mentioned below & it worked now, ie bug fixed  @  4.1 build 264274  - the 4.1 release

==========================================================================

Hi Rob,

The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274  - the 4.1 release

All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root: 

  

 New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters')

 

Thanks,

Gospodin!

==========================================================================

0 Kudos