1 2 3 Previous Next 30 Replies Latest reply on May 22, 2019 5:55 AM by LucD Go to original post
      • 15. Re: PowerCLI scipt question
        LucD Guru
        Community WarriorsUser ModeratorsvExpert

        Yes, it is encrypted.

        It uses DPAPI, the MSFT cryptographic API available in Windows (which is also the reason why the VICredentialStore cmdlets are not supported on PowerShell Core).

         

        The encrypted password is indeed stored on your station, and can only be decrypted on that same station and by the same user.

        The reason is that the encryption key is also stored on the station and linked to the user account.

         

        Is it secure?

        Yes and no.

        For day-to-day use it is considered safe, but an experienced hacker can reverse the DPAPI encryption.

        There have been reported methods on how to do that.

         

        Ultimately, if security is of the utmost importance in your environment, you will need to go further then just encrypted passwords.

        Procedures with 2FA and/or a security token should be considered.

         

        On the side, we had an interesting thread on a similar subject some time ago, see Is there a way to log onto vsphere clients without seeing clear text password?

        Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
        • 16. Re: PowerCLI scipt question
          jvignacioproj Novice

          Hi LucD,

           

          I've tried the below like this:

           

          #Variables

          $vc1 = 'vc01'

          $vc2 = 'vc02'

          $credfile = 'vicredentials.xml'

          $cred = Get-VICredentialStoreItem -File $credfile -Host $vc2

           

           

          #Connect to vCenters

          Connect-VIServer -Server $vc1

          Connect-VIServer -Server $vc2 -User $cred.User -Password $cred.Password

           

          Its actually working but I also get this error message:

           

          Get-VICredentialStoreItem : Cannot bind parameter 'File' to the target. Exception setting "File": "Credentials file doesn't exist."

          At line:12 char:41

          + $cred = Get-VICredentialStoreItem -File $credfile -Host $vc2

          +                                         ~~~~~~~~~

              + CategoryInfo          : WriteError: (:) [Get-VICredentialStoreItem], ParameterBindingException

              + FullyQualifiedErrorId : ParameterBindingFailed,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVICredentialStoreItem

           

          Again its working by just running the script manually (havent tried the scedule task yet) but I still get the error above. Should I be concerned about it?

          Also confirming I can see %APPDATA%\VMware\credstore\vicredentials.xml

           

          thanks

          • 17. Re: PowerCLI scipt question
            LucD Guru
            vExpertCommunity WarriorsUser Moderators

            Did you try specifying the full path, instead of just the filename, to the $credfile variable?

            Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
            • 18. Re: PowerCLI scipt question
              jvignacioproj Novice

              I havent tried that yet but why is it still working?

              • 19. Re: PowerCLI scipt question
                LucD Guru
                vExpertCommunity WarriorsUser Moderators

                Are you sure there are no open connections when you run the script?
                Check the content of $global:defaultviservers.

                 

                The Connect-VIServer to vc2 definitely fails, and according to the message because it can't find the credentials XML file.

                Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                • 20. Re: PowerCLI scipt question
                  jvignacioproj Novice

                  Hi LucD, I’m sure and it worked, however after adding the full path, I don’t get any error messages and it continues to work fine, even through a schedule task.

                   

                  job done

                  thanks for all your help!! Appreciated.

                  • 21. Re: PowerCLI scipt question
                    jvignacioproj Novice

                    Hi LucD,

                     

                    I'm now revisiting this same script but extending it to add another 2 vCenters (for production).

                    The previous one was for (non-production).

                     

                    Whats the best way of add 2 new vCenters?

                     

                    The current script moves all the non-production templates from one vCenter to another.

                     

                     

                    #Import PowerCLI module

                    Import-module vmware.vimautomation.core

                     

                     

                    #Variables

                    $vc1 = 'vcenter1'

                    $vc2 = 'vcenter2'

                    $credfile = 'C:\Users\ACCOUNT\AppData\Roaming\VMware\credstore\vicredentials.xml'

                    $cred = Get-VICredentialStoreItem -File $credfile -Host $vc2

                     

                    #Connect to vCenters

                    Connect-VIServer -Server $vc1

                    Connect-VIServer -Server $vc2 -User $cred.User -Password $cred.Password

                     

                    #Import CSV file with template names

                    $currentTemplates = Import-csv \\SERVER\Templates.csv

                     

                    foreach($template in $currentTemplates){

                       

                        #Check if all templates exist in vCenter2. If found, delete template permanently (inventory and files). If not found (error action), go to Catch.

                        Try{

                            $checkTemplates = Get-Template -Name $($template.template) -Server $vc2 -ErrorAction Stop

                            Remove-Template -Template $checkTemplates -Server $vc2 -DeletePermanently -Confirm:$false

                            Write-Output "Removed template $($template.template) on vCenter $vc2"

                        }

                        Catch{

                            Write-Output "Template $($template.template) not found on vCenter $vc2"

                        }

                     

                     

                        # Get destination host and datastore

                        $esx2 = Get-VMHost -Name $template.vmhost -Server $vc2

                        $ds2 = Get-Datastore -Name $template.datastore -Server $vc2

                     

                     

                        #Clone existing templates in vCenter1 to vCenter1 in the same folder with a "-clone" amended to the name.

                        $newTemplate = "$($template.template)-clone"

                        New-Template -Template $($template.template) -Name $newTemplate -Confirm:$false

                        Write-Output "Cloned template $($template.template) to $newTemplate on vCenter $vc1"

                     

                     

                        #Convert the cloned template to VM

                        Write-Output "Converting template $newTemplate to a VM on vCenter $vc1....."

                        Set-Template -Template $newTemplate -ToVM -Confirm:$false -Server $vc1

                     

                        #Remove the NIC from VM and migrate to vCenter2

                        Write-Output "Migrating VM $newTemplate to vCenter $vc2 on host $esx2 and datastore $ds2..."

                        $nic = Get-NetworkAdapter -VM $newTemplate

                        Remove-NetworkAdapter -NetworkAdapter $nic -Confirm:$false

                     

                     

                        #vMotion VM from vc1 to vc2 on specific host and datastore

                        Move-VM -VM $newTemplate -Destination $esx2 -Datastore $ds2 -Server $vc1

                     

                     

                        #Add NIC with specific port group

                        New-NetworkAdapter -VM $newTemplate -NetworkName "vCenter2 port group name" -StartConnected -Type Vmxnet3

                     

                     

                        #Rename VM to original name

                        Write-Output "Renaming VM $newTemplate to $($template.template) on vCenter $vc2...."

                        $newVM = Set-VM -VM $newTemplate -Name $($template.template) -Confirm:$false -Server $vc2

                     

                     

                        #Move VM into a specific folder

                        Move-VM -VM $newVM -Destination "Templates" -Server $vc2

                     

                     

                        #Convert VM to template

                        Write-Output "Converting VM $newVM to a template on vCenter $vc2....."

                        Set-VM -VM $newVM -ToTemplate -Confirm:$false -Server $vc2

                     

                     

                    }

                     

                     

                    #Disconnect from both vc's

                    Disconnect-VIServer -Server $vc1 -Confirm:$false

                    Disconnect-VIServer -Server $vc2 -Confirm:$false

                    • 22. Re: PowerCLI scipt question
                      LucD Guru
                      Community WarriorsUser ModeratorsvExpert

                      Yes, it uses DPAPI, which is a not-so-secure method on Windows platforms.

                      Which is also the reason why the CredentialStoreItem cmdlets are not supported in PS Core, since these DPAPI are not present in .Net Core.

                      When in normal use, the encryption requires the same account and station as the one that did the encryption.

                      But there are some documented methods to retrieve the decrypted data.

                       

                      For day to day use, I think the method is safe enough.
                      Is it unbreakable?
                      No, but if the documented methods for decrypting the data can be used, you have another problem in your environment.

                      Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                      • 23. Re: PowerCLI scipt question
                        jvignacioproj Novice

                        Hi LucD,

                         

                        thanks for that but dont think you answered my question. I'm after improving the existing script that I copied in.

                         

                        "I'm now revisiting this same script but extending it to add another 2 vCenters (for production).

                        The previous one was for (non-production).

                         

                        Whats the best way of add 2 new vCenters?

                         

                        The current script moves all the non-production templates from one vCenter to another vCenter DR."

                        • 24. Re: PowerCLI scipt question
                          LucD Guru
                          User ModeratorsvExpertCommunity Warriors

                          Indeed, I was obviously looking at the wrong part of the thread.

                           

                          Using multiple vCenters is not a problem, but you should probably indicate somehow, which template goes from which vCenter to which vCenter.
                          Is that info available in an external file, or is there any way to find out by looking at the template?

                          Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                          • 25. Re: PowerCLI scipt question
                            jvignacioproj Novice

                            Hi LucD,

                             

                            At the moment, the template is stored externally under "templates.csv".

                            The info is only for the vCenter non-production DR site and where the template should land.

                             

                               

                            templatevmhostdatastore
                            templateesxiHostdatastoreName
                            • 26. Re: PowerCLI scipt question
                              LucD Guru
                              User ModeratorsvExpertCommunity Warriors

                              I don't really understand what you are trying to do here?
                              Adapt the script, so it can work for multiple environments?

                              Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                              • 27. Re: PowerCLI scipt question
                                jvignacioproj Novice

                                Hi LucD,

                                 

                                yes amend the existing script that I posted so it can include 2 new vCenters.

                                 

                                the current script moves templates from our main site vCenter (non-production) to our DR site VCenter (non-production).

                                 

                                im trying to now include moving templates from our main site VCenter (production) to our DR site vCenter (production).

                                 

                                FYi we have 4 vCenters, ( 2 x main site For prod and non prod and 2 x DR site prod and non prod.

                                 

                                hope this now makes sense.

                                • 28. Re: PowerCLI scipt question
                                  LucD Guru
                                  vExpertCommunity WarriorsUser Moderators

                                  It does, but why not use the same script and just change the vCenternames?
                                  You could even make the names parameters for the script.

                                   

                                  Or are these environments all mixed?
                                  Can a template move from the staging vCenter to any other vCenter?

                                  Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                                  • 29. Re: PowerCLI scipt question
                                    jvignacioproj Novice

                                    I have tested changing the names in the same script and it works but I don’t want to be doing this manually or maintaining two separate scripts (for non prod and prod).

                                     

                                    aiming to use the same script but either run the copies at the same time or straight after the other copy.

                                     

                                    If you recommend just creating a separate script for prod (same script but change variables) then I can do that.

                                     

                                    what do you mean by name parameters? Can you show me the example?