VMware Cloud Community
LittleNickey
Enthusiast
Enthusiast
Jump to solution

Multiple connections to the same VC?

Hi,

I've been trying to get around the issue that some users don't have permissions to set DRS cluster group membership by connecting an additional user ("service account") to the same VC who has "modify cluster" permissions.

I've tried specifying the server using -Server ($global:DefaultVIServers | ?{$_.User -eq $ServiceAccount}) and it works when running manually, but when I run it in a script file it throws below error:

Set-DrsClusterGroup : 2017-11-08 15:54:17 Set-DrsClusterGroup Permission to perform this operation was denied. Required

privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.

+ ... " | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...

+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission

    + FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCore

.Cmdlets.Commands.SetDrsClusterGroup

I've tried disconnecting the user then connecting the service account and it works when running manually, but when I run it in a script file it throws below error.

Get-DrsClusterGroup : 2017-11-09 10:42:24 Get-DrsClusterGroup Server domain\username@vcenter.domain.local:443 is not connected.

+ ...             Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name ...

+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidArgument: (:) [Get-DrsClusterGroup], ViServerConnectionException

    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_TryVerifyIsConnected_NotConnected,VMware.VimAutomation.Vi

Core.Cmdlets.Commands.GetDrsClusterGroup

Command: Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name $DRSGroup | Set-DrsClusterGroup -Add -VM $VMName

Powershell Version: 5.1.15063.674

PowerCLI Version: 6.5.2.6234650

It seems that the first user I connect with keep running commands even if I disconnect the user session and connect a new one when running it as a script, not as a terminal.

How can I switch user/connection in a script or specify which user/connection to use when running a command that does not have the -User parameter?

-- Oskar
Reply
0 Kudos
1 Solution

Accepted Solutions
LittleNickey
Enthusiast
Enthusiast
Jump to solution

I broke the DRS part out of the function and executed it afterwards instead which seems to have solved the issue.

-- Oskar

View solution in original post

Reply
0 Kudos
5 Replies
LucD
Leadership
Leadership
Jump to solution

Did you check the content of $global:defaultviservers?

Are there 2 connections liste din there?

If yes, run Set-DrsClusterGroup with the Server parameter, and reference the entry with the service account.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LittleNickey
Enthusiast
Enthusiast
Jump to solution

Hi,

that was what I'm doing and now I've double checked the dual-credentials by printing it right before:

Name                           Port  User

----                           ----  ----

VC              443   Domain\SA_VMware_Test

VC              443   Domain\test_adm

VERBOSE: 16:15: Setting DRS Group membership...

VERBOSE: 2017-11-09 16:15:50 Set-DrsClusterGroup Started execution

VERBOSE: Should perform operation 'Update DRS cluster group' on 'Site1 VMs'?

Set-DrsClusterGroup : 2017-11-09 16:15:52       Set-DrsClusterGroup             Permission to perform this operation was denied. Require

d privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.

+ ... VMs" | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...

+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission

    + FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCo

   re.Cmdlets.Commands.SetDrsClusterGroup

VERBOSE: 2017-11-09 16:15:52 Set-DrsClusterGroup Finished execution

When I run the code slimmed down in a script it works and I cannot reproduce the error, but in a larger script where the Set-DRS command is part of a function in a module and the Connect-VIServer is performed in a script which uses the function I get above error. The $global:defaultviservers still shows both accounts, but even if I specify -Server ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) it seems to be using the "user" account, not the "service" account which has the permissions. Not sure why though...

I've even tried printing ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) which shows only the correct connection.

-- Oskar
Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Did you already try saving the output of both Connect-VIServer cmdlets in separate variables, and then using those variables on the Server parameter?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LittleNickey
Enthusiast
Enthusiast
Jump to solution

Yes Smiley Sad

-- Oskar
Reply
0 Kudos
LittleNickey
Enthusiast
Enthusiast
Jump to solution

I broke the DRS part out of the function and executed it afterwards instead which seems to have solved the issue.

-- Oskar
Reply
0 Kudos