conradsia
Hot Shot
Hot Shot

Add local users to multiple servers

I am looking to add some local users and I want to see if this can be done with powershell. I am completely new to powershell so I am looking for some direction. Any help will be appreciated.

Thanks

0 Kudos
15 Replies
LucD
Leadership
Leadership

Where do you want to add these local users?

To the ESX servers or to servers running as guests ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
halr9000
Commander
Commander

Do you have a virtual center server or not? The answer affects how you work with multiple servers (but it can be done either way).

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
admin
Immortal
Immortal

If you are looking to add local users to ESX servers, there is a cmdlets called 'New-VMHostAccount' that can help you do that.

Unfortunately there is no cmdlet for VC.

admin
Immortal
Immortal

You could probably use something like Quest's Active Directory cmdlets to, for lack of a better way of describing it, "add users to VirtualCenter", assuming that you use Active Directory with VC.

0 Kudos
conradsia
Hot Shot
Hot Shot

Hello,

Thanks for all the replies, yes we use virtual center, yes I use AD authentication to virtual center and yes we authenticate to the ESX servers using kerberos. I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add. I also need to add them to the sudoers file.

I think your answers will help get me going but any more suggestions are most definitely welcome.

0 Kudos
halr9000
Commander
Commander

I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add.

Try something like this (not tested):

param (
	$Server, 
	$UserID, 
	$Password = "t3mpP@ss",
	$Group = @("adm", "floppy", "gopher")
)

$conn = connect-viserver -server $esx # you'll be prompted to login
$desc = "ESX Server Administrator Account"
$UserID | ForEach-Object {
	new-vmhostaccount -server $conn -Id $_ -Description $Desc -Password $Password `
		-AssignGroups $Group
}

Save as a file (e.g. makeAcct.ps1) and use like so:

PS > $esx = "server1", "server2", "server3"
PS > $users = "jsmith", "bsmith", "ksmith"
PS > .\makeAcct.ps1 -server $esx -userID $users

You may want to change those groups. Smiley Happy

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
wharlie
Contributor
Contributor

Hal,

I'm new to powershell.

I am using a script similar to yours.

The problem I am having is that it creates the new user account but doesn't give it shell access.

0 Kudos
halr9000
Commander
Commander

You'll need to use '-AssignGroups $Group' and choose a sensible default for that.

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
halr9000
Commander
Commander

Note that you don't have to do it over...use Get-VMHostAccount to grab the user accounts you have created, then pipe to Set-VMHostAccount and use the AssignGroups parameter as you would with New-VMHostAccount.

Get-VMHostAccount -id jsmith | set-vmhostaccount -assigngroups @("gopher", "ftp") # don't use these groups 🙂

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
wharlie
Contributor
Contributor

I don't quiet understand.

When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.

No default shell as per line below from /etc/passwd.

newuser:x:502:501::/home/newuser:/bin/false

As I understand it needs to be

newuser:x:502:501::/home/newuser:/bin/bash

Thanks for your help

0 Kudos
halr9000
Commander
Commander

When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.

No default shell as per line below from /etc/passwd.

Oh! I get it now. Hmm...that's a good one...

I'm gonna make a snap judgement and say that this may not be doable

using polite conventional means. I mean, by design, you would not

normally give your ESX users shell access, no matter their level of

permission on the host server itself. That is sort of crossing the

application boundary over to the COS (console OS). It is entirely

possible that this is not doable from the VI SDK, and hence, not

/easy/ from PowerShell.

Didn't say not possible though. Let's hear a couple more opinions on

the VI SDK's abilities before I go down the no-vi-sdk route.

--

Author, Tech Prosaic blog (http://halr9000.com)

Webmaster, Psi (http://psi-im.org)

Community Director, PowerShellCommunity.org

Co-host, PowerScripting Podcast (http://powerscripting.net)

Follow me on Twitter: http://twitter.com/halr9000

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
wharlie
Contributor
Contributor

I should have mentioned this is only for top level ESX admins.

There are still lots of things things you can't do through the VC client.

We prefer our admins to log in with there own accounts and su to root if needed.

We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.

There are other ways I can do this but I thought I'd give powershell a go.

Thanks again

0 Kudos
halr9000
Commander
Commander

There are other ways I can do this but I thought I'd give powershell a go.

Well, that's certainly what this forum is for. It's just that if it

cannot be done via the VI SDK then its gets ugly.

I should have mentioned this is only for top level ESX admins.

Oh, I don't care what you do. Smiley Happy I was just making sure that you did

recognize the distinction betwixt COS and ESX admins.

There are still lots of things things you can't do through the VC client.

You mind starting a new thread with this list of things? It would be

a good seed for new scripts for others to write.

We prefer our admins to log in with there own accounts and su to root if needed.

We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.

Well, we can't have you doing it that way, that's just silly.

Step 1. Download plink from the putty project

(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and

put it in your path.

Step 2. Make a mess...

This assumes that your ESX server namess are resolvable via DNS.

$user = "root"
$pass = "pass"
# example sed cmd only...it'll enable shell access for *all* users
$cmd = "sed -i 's/\/bin\/false/\/bin\/false/g' /etc/passwd"
Get-VMHost | ForEach-Object {
        plink -batch -pw $pass "$user@$( $_.Name )" $cmd
}

Now is the time whre someone else writes your sed command--I'm not

that skilled at those. You'll may want to make a loop for each user,

or you might for example just search for all lines which contain a

certain group (e.g. wheel) and enable shell on those.

-hal

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
admin
Immortal
Immortal

Looks like something we left out. Can you try this as a temporary measure:

function Create-ShellUser {
 param($id, $password=$null, $description=$null, $posixId=$null)

 $si = get-view serviceinstance
 $accountManager = get-view $si.Content.AccountManager
 $as = new-object VMware.Vim.HostPosixAccountSpec
 $as.id = $id
 $as.password = $password
 $as.description = $description
 $as.shellAccess = $true
 $as.posixId = $posixId
 $accountManager.CreateUser($as)
}

Sample usage: create-shelluser -id rewt -password pass

Note that you need to connect directly to ESX to make this work, it seems to be a quirk of the underlying API.

0 Kudos
wharlie
Contributor
Contributor

Thanks guys, works perfectly.

For the assistance of others I have attached my full script to create a user account on all ESX hosts in the datacenter.

Just replace your VC IP in the script.

Cheers

0 Kudos