Hi LucD,
I hope your well, I have found the following script and wish to replace the 'datastore.browse' privilege with the following:
Root>Authorisation>ModifyPermissions
Root>Host>Config> SystemManagement
Root>Host>Local> ManageUserGroups
Root>System>All
Do I add a line for each of the above or is there an easier way. Please advise and feel free to edit your script 🙂
$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"
Import-Csv "C:\Temp\Mo\hosts.csv" | %{
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
$priv = Get-VIPrivilege -Server $srv | where {$_.Id -eq "Datastore.Browse"}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if(!$role){
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if($account){
Set-VMHostAccount -UserAccount $account -Password $newPassword }
else{
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "ha-folder-root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if(!$perm){
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
}
else{
Set-VIPermission -Permission $perm -Role $role -Propagate
}
Disconnect-VIServer -Server $srv -Confirm:$false
}
Like this
$vcenter = 'VCSA01'
$Cluster= 'Clus01'
$Username = 'admin@local'
$password = 'Password01'
$AdminCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, (ConvertTo-SecureString -String $password -AsPlainText -Force)
Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-Null
Get-Cluster -Name $Cluster | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
$accessMgr = Get-View -Id $esx.ExtensionData.ConfigManager.hostAccessManager
if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}
}
Disconnect-VIServer -Server $vcenter -Force -confirm:$false
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Change
if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}
to
if ($accessMgr.LockdownMode -eq [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownNormal)
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
In addition to the above the 'newuser1' needs to be added to the Exception users under lockdown mode.Thanks
Try something like this
$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'
Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if (!$role) {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
Set-VMHostAccount -UserAccorount $account -Password $newPassword
} else {
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "ha-folder-root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
Set-VIPermission -Permission $perm -Role $role -Propagate
}
# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$accessMgr.UpdateLockdownExceptions($account)
Disconnect-VIServer -Server $srv -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That 1st error seems to indicate you have multiple open connections.
Check what is $global:defaultVIServers.
Then there are a number of other errors.
- your current ESXi version does not support LocalGroups anymore
- again some errors indicating you have a VCSA connection open
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I think the error is very clear, the LocalGroup option is not supported anymore.
That script will not work in your environment.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD,
Is there a script in your arsenal that will work in my environment? Please share and I can test.
Thanks in advance
Many Thanks
Mo
Hi LucD,
I have managed to edit the script as follows and got it working, but the following is not working:
1. Adding to exception user list is not working
2. Disable the lockdown mode, add the user and enable it again. (disable and enable commands missing)
$newUser = "testuser"
$newPassword = "Password123"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'
Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password1234'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if (!$role) {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
Set-VIPermission -Permission $perm -Role $role -Propagate
}
# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$accessMgr.UpdateLockdownExceptions($account)
Disconnect-VIServer -Server $srv -Confirm:$false
}
Please can you do your magic 🙂
Have look at Re: Having issues with adding a user to the except... - VMware Technology Network VMTN
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Try something like this
$newUser = "testuser"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'
Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }
# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if($role){
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
}
else{
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
# If Account exists set new password, else create Account
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
$account = Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
$account = New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-Description 'Test user creation' -UserAccount -Server $srv
}
# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled){
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}
$accessMgr.UpdateLockdownExceptions($account)
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}
Disconnect-VIServer -Server $srv -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Thank you for the above, the script creates the role with the correct permissions but fails to create the user and add the user to the exception users list in lockdown mode.
See attached errors for your reference.
Please advise and let me know if I am doing something wrong.
Thanks in advance.
The account creation still tries to assign a group, that is not supported anymore.
That is what the error is saying, I don't see anything related to an exception list
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Its strange we don't see an error for not adding to the exceptions list. When we try the attached script, it creates the user and adds it to the exception list, but doesn't create the role. Can we use the commands for adding to the exceptions list from the attached and add it to the above script you have created. Then we can test if it works.
You can do whatever you want, even ask Wouter.
For me the snippet creates the Role, not sure why it wouldn't work for you.
At least there should be an error message if something goes wrong.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Apologies, I was making a silly mistake when editing the script. As always all works like a dream...you Da Genius.
If I want to add two users at the same time (testuser1 and testuser2) can I do this on the same script or do i need to run the script twice changing the newuser field. And will have to add the below somewhere in the above script aswell I assume.
$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$currentUsers = $HostAcces.QueryLockdownExceptions()
$newUsers = $currentUsers + $username
$HostAccess.UpdateLockdownExceptions($newUsers)
You could do something like this
$newUsers = "testuser1", "testuser2"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'
Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }
# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if ($role) {
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
} else {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$accounts = @()
$newUSers | ForEach-Object -Process {
# If Account exists set new password, else create Account
$account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
if ($account) {
$account = Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
$account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
-Description 'Test user creation' -UserAccount -Server $srv
}
$accounts += $account
# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
}
# Add users to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}
$accessMgr.UpdateLockdownExceptions($accounts)
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}
Disconnect-VIServer -Server $srv -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Perfect, the above works perfectly. I have found the cluster has all the hosts in lockdown mode (Normal) and I need to manually disable the lockdown mode for the script to access the host and run accordingly.
Is there anyway of adding in the script to disable lockdown mode, run the script and enable lockdown mode at the end. I assume you will need to access the vCenter. Happy to add in the vCenter name.
Please advise.
Many Thanks
Not while you are connected to the ESXi node itself.
When you have all these ESXi nodes connected to a vCenter, you could probably automate it from there.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD,
Is the a sperate small script available I can run to disable/enable the lockdown mode in the environment using the vcenter.
Thanks in advance.
Mo