It seems like a pretty simple thing to look for, I just want an export saying Group A has these members, Group B has these members, etc.
I haven't been able to figure it out, but I am just starting out with PowerCLI.
I can get a list of all users or all groups easily enough with Get-VIAccount, but I don't know how to view the relationship between them.
(edit) Just to clarify, this is without using any AD or LDAP. The local account database for Vcenter.
Are you referring to the local groups on the vCenter server ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes, the local groups on the vCenter.
I, too, have come to a dead end in my search for such a solution. Have you found a solution?
I want to get a list of al the members of the various vsphere.local groups using PowerCLI.
I can get the groups, but cannot figure out how to get the members.
get-viaccount -Group -domain vsphere.local | ft -a
Help...!
I, too, have come to a dead end in my search for such a solution. Have you found a solution?
I want to get a list of al the members of the various vsphere.local groups using PowerCLI.
I can get the groups, but cannot figure out how to get the members.
get-viaccount -Group -domain vsphere.local | ft -a
Help...!
No public API for SSO I'm afraid, but you can call the dir-cli command via a SSH session to the VCSA.
You will need to have the Posh-Ssh module installed, and SSH on your VCSA needs to be enabled.
You can do something like this
#requires -Modules posh-ssh
$user = 'root'
$pswd = 'VMware1!'
$ssoDomain = 'vsphere.local'
$vcsaName = ([uri]$global:DefaultVIServer.ServiceUri).Host
$pswdSec = ConvertTo-SecureString -String $pswd -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($User,$pswdSec)
$cmd = '/usr/lib/vmware-vmafd/bin/dir-cli group list --name $groupName --password $pswd'
$ssh = New-SSHSession -ComputerName $vcsaName -Credential $cred -AcceptKey -KeepAliveInterval 5
Get-VIAccount -Group -Domain $ssoDomain |
ForEach-Object -Process {
$groupName = $_.Id
$groupCmd = $ExecutionContext.InvokeCommand.ExpandString($cmd)
$out = Invoke-SSHCommand -SessionId $ssh.SessionId -Command $groupCmd -TimeOut 30
$out.Output.Split("`r") |
Select @{N='Group';E={$groupName}},
@{N='User';E={$_.Split(',')[0] -replace 'CN=',''}}
}
Remove-SSHSession -SessionId $ssh.SessionId | Out-Null
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc
With the current PowerCLI version, is it possible now?
Unfortunatelly I'm running vSphere 6.0 with Windows vCenter Server...
I'm afraid not.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
VMware has to work on it 😉
Than you
The basic issue is that there is no public API.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Is there anyway to remove stale AD users from a local group? Long story short I had to rejoin an appliance to AD and discovered this...
root@server [ /opt/likewise/bin ]# /usr/lib/vmware-vmafd/bin/dir-cli group list --name 'Administrators'
Enter password for administrator@vsphere.local:
cn=Administrator,cn=Users,dc=vsphere,dc=local
CN=machine-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local
CN=vsphere-webclient-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-94424866
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-1094482
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-5099061
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-91825835
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-26371790
externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-556046
I'm afraid not (afaik).
The dir-cli command only seems to allow to add users to a group.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I have a date with support today when I get onsite so I will get to find out a method today. Hope all with well Luc!
Cheers!