Hi,
I've been trying to get around the issue that some users don't have permissions to set DRS cluster group membership by connecting an additional user ("service account") to the same VC who has "modify cluster" permissions.
I've tried specifying the server using -Server ($global:DefaultVIServers | ?{$_.User -eq $ServiceAccount}) and it works when running manually, but when I run it in a script file it throws below error:
Set-DrsClusterGroup : 2017-11-08 15:54:17 Set-DrsClusterGroup Permission to perform this operation was denied. Required
privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.
+ ... " | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission
+ FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCore
.Cmdlets.Commands.SetDrsClusterGroup
I've tried disconnecting the user then connecting the service account and it works when running manually, but when I run it in a script file it throws below error.
Get-DrsClusterGroup : 2017-11-09 10:42:24 Get-DrsClusterGroup Server domain\username@vcenter.domain.local:443 is not connected.
+ ... Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-DrsClusterGroup], ViServerConnectionException
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_TryVerifyIsConnected_NotConnected,VMware.VimAutomation.Vi
Core.Cmdlets.Commands.GetDrsClusterGroup
Command: Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name $DRSGroup | Set-DrsClusterGroup -Add -VM $VMName
Powershell Version: 5.1.15063.674
PowerCLI Version: 6.5.2.6234650
It seems that the first user I connect with keep running commands even if I disconnect the user session and connect a new one when running it as a script, not as a terminal.
How can I switch user/connection in a script or specify which user/connection to use when running a command that does not have the -User parameter?
I broke the DRS part out of the function and executed it afterwards instead which seems to have solved the issue.
Did you check the content of $global:defaultviservers?
Are there 2 connections liste din there?
If yes, run Set-DrsClusterGroup with the Server parameter, and reference the entry with the service account.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
that was what I'm doing and now I've double checked the dual-credentials by printing it right before:
Name Port User
---- ---- ----
VC 443 Domain\SA_VMware_Test
VC 443 Domain\test_adm
VERBOSE: 16:15: Setting DRS Group membership...
VERBOSE: 2017-11-09 16:15:50 Set-DrsClusterGroup Started execution
VERBOSE: Should perform operation 'Update DRS cluster group' on 'Site1 VMs'?
Set-DrsClusterGroup : 2017-11-09 16:15:52 Set-DrsClusterGroup Permission to perform this operation was denied. Require
d privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.
+ ... VMs" | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission
+ FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCo
re.Cmdlets.Commands.SetDrsClusterGroup
VERBOSE: 2017-11-09 16:15:52 Set-DrsClusterGroup Finished execution
When I run the code slimmed down in a script it works and I cannot reproduce the error, but in a larger script where the Set-DRS command is part of a function in a module and the Connect-VIServer is performed in a script which uses the function I get above error. The $global:defaultviservers still shows both accounts, but even if I specify -Server ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) it seems to be using the "user" account, not the "service" account which has the permissions. Not sure why though...
I've even tried printing ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) which shows only the correct connection.
Did you already try saving the output of both Connect-VIServer cmdlets in separate variables, and then using those variables on the Server parameter?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes
I broke the DRS part out of the function and executed it afterwards instead which seems to have solved the issue.