Solved: Re: All multiple privileges fao LucD - Page 2

mbabu1 · ‎05-04-2023

Hi LucD,

I hope your well, I have found the following script and wish to replace the 'datastore.browse' privilege with the following:

Root>Authorisation>ModifyPermissions

Root>Host>Config> SystemManagement

Root>Host>Local> ManageUserGroups

Root>System>All

Do I add a line for each of the above or is there an easier way. Please advise and feel free to edit your script

$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"

Import-Csv "C:\Temp\Mo\hosts.csv" | %{
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
$priv = Get-VIPrivilege -Server $srv | where {$_.Id -eq "Datastore.Browse"}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if(!$role){
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if($account){
Set-VMHostAccount -UserAccount $account -Password $newPassword }
else{
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "ha-folder-root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if(!$perm){
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
}
else{
Set-VIPermission -Permission $perm -Role $role -Propagate
}
Disconnect-VIServer -Server $srv -Confirm:$false
}

LucD · ‎05-08-2023

Try something like this

Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-Null

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $accessMgr = Get-View -Id $esx.ExtensionData.ConfigManager.hostAccessManager
    if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
    }
}

Disconnect-VIServer -Server $vcenter -Force -confirm:$false

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Thanks LucD,

Please can you narrow this down to cluster level. For example, enter details like vcenter = VCSA01 and Cluster= Clus01 Username = admin@local password = Password01.

Thanks in Advance

Mo

LucD · ‎05-08-2023

Change

Get-VMHost -PipelineVariable esx |

to

Get-Cluster -Name Clus01 | Get-VMHost -PipelineVariable esx |

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Thanks LucD,

Sorry, where do i put the vcenter, username and password details. Still learning to script...apologies.

Thanks

Mo

LucD · ‎05-08-2023

Like this

$vcenter = 'VCSA01'
$Cluster= 'Clus01'
$Username = 'admin@local'
$password = 'Password01'

$AdminCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, (ConvertTo-SecureString -String $password -AsPlainText -Force)

Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-Null

Get-Cluster -Name $Cluster | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $accessMgr = Get-View -Id $esx.ExtensionData.ConfigManager.hostAccessManager
    if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
    }
}

Disconnect-VIServer -Server $vcenter -Force -confirm:$false

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Thanks LucD....GENIUS..!

That works perfectly, disabled the hosts within the cluster. What do I need to change to enable lockdown (Normal).

Thanks in advance

Mo

LucD · ‎05-08-2023

Change

    if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
    }

to

    if ($accessMgr.LockdownMode -eq [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownNormal)
    }

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Works like a dreammmmmmmm....!!!!

Thank you for all your help and answering all my queries.

One last question, some of our environments require the domainname\username e.g. (Prod\testuser01). The script returns an error 'user name or password has an invalid format'. But I can manually add the user with the domain in front successfully.

Is a parameter/variable required to the script to allow this.

Thanks

Mo

LucD · ‎05-08-2023

The error seems to indicate the provided password does not meet the complexity requirements.
I don't see anything about an invalid format

The format "domain\user" is correct.
You can also try passing "user@domain", that should work as well.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-09-2023

Thanks LucD,

I have used a complex password and tried '\' and '@' and get the attached error.

Create User
Key
haTask-ha-folder-root-vim.host.LocalAccountManager.createUser-3465424481

Description
Creates a local user account

Folder:
State
Failed - A specified parameter was not correct: id

Errors

Please advise.

Thanks in Advance.

Mo

LucD · ‎05-09-2023

Are you switching back to this tread?
My last reply is in the other thread

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-10-2023

Hi LucD,

Quick question, is there a way to edit the script add a user via right click manage host > select permission and add the user domain\username and map to the role create earlier.

Pics attached for your reference.

Thanks in advance.

LucD · ‎05-10-2023

Isn't that what the New-VIpermission cmdlet is doing?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-10-2023

Thanks LucD,

The requirement for one of the environments is to add domain\username as per the attachment and I have done this manually via right click manage ---> permissions... Add user and select the role. So like to amend the script to do this.

If i try to add a domain\username via security & users --> users --> add user I get the error 'Invalid characters found in user name. Please use only alpha-numeric characters. As discussed previously.

I hope that helps.

Please advise thanks

Many Thanks

LucD · ‎05-10-2023

Adding Permissions is not the same as adding a user account.

For permissions use the New-VIPermission cmdlet, for adding a user, while connected to an ESXi node, use the New-VMHostAccount cmdlet. This adds a new account on the ESXi node.
The latter only creates local accounts, not AD accounts.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-10-2023

Thanks LucD,

What do I need to do to achieve the following in the script:

The requirement for one of the environments is to add domain\username as per the attachment and I have done this manually via right click manage ---> permissions... Add user and select the role. So like to amend the script to do this.

Thanks

LucD · ‎05-10-2023

Not sure what more can I tell you.

Use the New-VIPermission cmdlet, on the Principal parameter, use the domain/user notation.
The snippet I gave earlier already contains such a New-VIPermssion line.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Add multiple privileges fao LucD - Help