VMware Cloud Community
lurims
Enthusiast
Enthusiast
‎01-08-2019 02:09 PM
Jump to solution

How to add, list users and reset password in ESXi host - with out SSH.

Is there anyway to list users, create users and reset password for a user accounts in ESXi server.  I can possibly use SSH, but I am looking for any vRO vCenter object that can run commands on the ESXi host.  I think even esxcli still needs SSH to be enabled to connect to.

0 Kudos
1 Solution

Accepted Solutions
lurims
Enthusiast
Enthusiast
‎01-15-2019 05:45 PM
Jump to solution

  • Here is the answer for how to elevate ESXi local user permissions to admin level -    How do I elevate the ESXi local user permissions to "admin" using vRO object?
    • host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessAdmin); //VcHostAccessMode  - few access modes are avilable, see docs.
  • To List the local users use - host.configManager.hostAccessManager.retrieveHostAccessControlEntries()  - This is an array of all local users in ESXi.
  • Another difficult part was while creating the user, how to set user attributes including password.  Here is how you can do it (credit goes iiliev) .
    • var accountSpecs = new VcHostAccountSpec(localUserName,localUserPassword,localUserDescription);
    • host.configManager.accountManager.createUser(accountSpecs);

View solution in original post

0 Kudos
12 Replies
eoinbyrne
Expert
Expert
‎01-09-2019 07:08 AM
Jump to solution

These might be useful -

Class VcHostAccessManager

Managed object used to control direct access to the host.

This should be used to control users and privileges on the host directly, which are different from the users and privileges defined in vCenter.

Link - vRO API Explorer by Dr Ruurd and Flores of ITQ

There is a method on this class to list user that can access the host and their privileges

Looks like this one then can manage those users

Class VcHostLocalAccountManager

This managed object type provides an interface through which local accounts on a host are managed. Note that this managed object applies only to applications that use a local account database on the host to provide authentication (ESX Server, for example). POSIX and win32 hosts may impose different restrictions on the password, ID, and description formats. POSIX host implementation may restrict the user or group name to be lower case letters and less than 16 characters in total. It may also disallow characters such as ";", "\n", and so on. In short, all the platform dependent rules and restrictions regarding naming of users/groups and password apply here. An InvalidArgument fault is thrown if any of these rules are not obeyed.

Link - vRO API Explorer by Dr Ruurd and Flores of ITQ

Links should point to vroapi.com

HTH

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-09-2019 08:23 AM
Jump to solution

Thank you eoinbyrne.  I will try this and post the findings.

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-09-2019 08:45 AM
Jump to solution

What is/are the patent object(s) to get this object VcHostAccessManager?  I have tried with VC:HostSystem, it did not work.  I must be missing some other cascaded objects inbetween I believe.  Any idea?

0 Kudos
iiliev
VMware Employee
VMware Employee
‎01-09-2019 09:35 AM
Jump to solution

host.configManager.hostAccessMAnager

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-11-2019 10:28 AM
Jump to solution

Thanks, I am able to list the local users, but do not see any explicit method for changing the password.  I see updateSystemUsers, but do not see any arguments to pass the password.  I also need to create a new user.  Is it just adding a user name in the arguments or updateSystemUsers method?

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-11-2019 02:03 PM
Jump to solution

I found more information and I see VcHostLocalAccountManager uses VcHostAccountSpec to update the user and password, but trying to figure out how to instantiate this object, please through if you have an example for VcHostAccountSpec.

0 Kudos
iiliev
VMware Employee
VMware Employee
‎01-11-2019 02:42 PM
Jump to solution

VcHostAccountSpec is a data object with both no-arg and all-args constructors, so you should be able to instantiate it using either of the following ways:

var spec = new VcHostAccountSpec("userid", "userpassword", "some description")

or

var spec = new VcHostAccountSpec();
spec.id = "userid";
spec.password = "userpassword";
spec.description = "some description";
0 Kudos
lurims
Enthusiast
Enthusiast
‎01-11-2019 07:27 PM
Jump to solution

Thanks.  I have drilled down the VCHostSystem further and able to create the user on ESXi. 

host.configManager.accountManager.createUser(userSpecsObj).

As it returns null when created, I need to check back to see if the user is really created or not.  Why this object is missing getUsers property? 

pastedImage_0.png

When I used configManager.hostAccessManager.querySystemUsers it is really returning the default system accounts, not user created accounts.  Is there any equivalent to list user created "user accounts"?  Similarly I also need the getUserGroups too.

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-11-2019 07:54 PM
Jump to solution

Seems adding an ESXi local user to a group is not supported it seems.  I got an error saying not supported as given the description of the method.

pastedImage_0.png

0 Kudos
eoinbyrne
Expert
Expert
‎01-13-2019 01:16 PM
Jump to solution

Checked the VC API documentation and the group related methods are all deprecated since 5.1

https://vdc-repo.vmware.com/vmwb-repository/dcr-public/6b586ed2-655c-49d9-9029-bc416323cb22/fa0b429a...

pastedImage_1.png

The methods to add / remove / update a single user are still available it seems but not sure if that suits your use case?

Also, I find it interesting / alarming that the generated documentation on vropai.com does not reflect the Deprecation warnings for the plugin classes and methods. Must make sure to keep that in mind for future

-Eoin

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-14-2019 06:14 AM
Jump to solution

Thanks Eoin for checking.  So that means there is no way to make the newly created user as the admin level privilege user using vRO Vcenter API (I am trying to avoid an extra host to manage, like Powershell host to run PowerCLI)?  Any idea about why

System.log(host.configManager.hostAccessManager.querySystemUsers());

is only displaying system users, not the user created users(da, it is system users, but I do not see another method to list all users)?

Are these methods (adding users, listing users etc) may also get deprecated in the next releases?

How do I elevate the user permissions to "admin"?  Which vRO object is having that method?

0 Kudos
lurims
Enthusiast
Enthusiast
‎01-15-2019 05:45 PM
Jump to solution

  • Here is the answer for how to elevate ESXi local user permissions to admin level -    How do I elevate the ESXi local user permissions to "admin" using vRO object?
    • host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessAdmin); //VcHostAccessMode  - few access modes are avilable, see docs.
  • To List the local users use - host.configManager.hostAccessManager.retrieveHostAccessControlEntries()  - This is an array of all local users in ESXi.
  • Another difficult part was while creating the user, how to set user attributes including password.  Here is how you can do it (credit goes iiliev) .
    • var accountSpecs = new VcHostAccountSpec(localUserName,localUserPassword,localUserDescription);
    • host.configManager.accountManager.createUser(accountSpecs);
0 Kudos