Solved: Add multiple privileges fao LucD - Help

mbabu1 · ‎05-04-2023

Hi LucD,

I hope your well, I have found the following script and wish to replace the 'datastore.browse' privilege with the following:

Root>Authorisation>ModifyPermissions

Root>Host>Config> SystemManagement

Root>Host>Local> ManageUserGroups

Root>System>All

Do I add a line for each of the above or is there an easier way. Please advise and feel free to edit your script 🙂

$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"

Import-Csv "C:\Temp\Mo\hosts.csv" | %{
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
$priv = Get-VIPrivilege -Server $srv | where {$_.Id -eq "Datastore.Browse"}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if(!$role){
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if($account){
Set-VMHostAccount -UserAccount $account -Password $newPassword }
else{
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "ha-folder-root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if(!$perm){
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
}
else{
Set-VIPermission -Permission $perm -Role $role -Propagate
}
Disconnect-VIServer -Server $srv -Confirm:$false
}

LucD · ‎05-08-2023

Like this

$vcenter = 'VCSA01'
$Cluster= 'Clus01'
$Username = 'admin@local'
$password = 'Password01'

$AdminCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, (ConvertTo-SecureString -String $password -AsPlainText -Force)

Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-Null

Get-Cluster -Name $Cluster | Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $accessMgr = Get-View -Id $esx.ExtensionData.ConfigManager.hostAccessManager
    if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
    }
}

Disconnect-VIServer -Server $vcenter -Force -confirm:$false

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎05-08-2023

Change

    if ($accessMgr.LockdownMode -in [VMware.Vim.HostLockdownMode]::lockdownNormal,[VMware.Vim.HostLockdownMode]::lockdownStrict) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
    }

to

    if ($accessMgr.LockdownMode -eq [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
        $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownNormal)
    }

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

mbabu1 · ‎05-04-2023

In addition to the above the 'newuser1' needs to be added to the Exception users under lockdown mode.Thanks

LucD · ‎05-05-2023

Try something like this

$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
  $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
  $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
  $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
  if (!$role) {
    $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
  }
  $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
  if ($account) {
    Set-VMHostAccount -UserAccorount $account -Password $newPassword
  } else {
    New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
      -AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
  }
  $folder = Get-Folder -Name "ha-folder-root" -Server $srv
  $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
  if (!$perm) {
    New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
  } else {
    Set-VIPermission -Permission $perm -Role $role -Propagate
  }

  # Add user to lockdown exceptions
  $esx = Get-VMHost
  $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
  $accessMgr.UpdateLockdownExceptions($account)

  Disconnect-VIServer -Server $srv -Confirm:$false
}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-05-2023

Hi LucD,

Thank you for the above, I am getting the attached error. Please advise where i'm going wrong. I am testing this on one host atm.

Thanks

Mo

LucD · ‎05-05-2023

That 1st error seems to indicate you have multiple open connections.
Check what is $global:defaultVIServers.

Then there are a number of other errors.
- your current ESXi version does not support LocalGroups anymore
- again some errors indicating you have a VCSA connection open

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-05-2023

Thanks LucD,

I have force disconnected the vcsa connections and re-run the script.

Version of vCenter is 6.7 18485185

Host is VMware ESXi, 6.7.0, 16316930.

I now get the attached error.

Please advise Thanks

LucD · ‎05-05-2023

I think the error is very clear, the LocalGroup option is not supported anymore.
That script will not work in your environment.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-05-2023

Thanks LucD,

Is there a script in your arsenal that will work in my environment? Please share and I can test.

Thanks in advance

Many Thanks

Mo

mbabu1 · ‎05-05-2023

Hi LucD,

I have managed to edit the script as follows and got it working, but the following is not working:

1. Adding to exception user list is not working

2. Disable the lockdown mode, add the user and enable it again. (disable and enable commands missing)

$newUser = "testuser"
$newPassword = "Password123"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password1234'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if (!$role) {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
Set-VIPermission -Permission $perm -Role $role -Propagate
}

# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$accessMgr.UpdateLockdownExceptions($account)

Disconnect-VIServer -Server $srv -Confirm:$false
}

Please can you do your magic 🙂

LucD · ‎05-05-2023

Have look at Re: Having issues with adding a user to the except... - VMware Technology Network VMTN

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

LucD · ‎05-07-2023

Try something like this

$newUser = "testuser"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
  $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
  $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

  # If Role exists assign new privileges, else create Role
  $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
  if($role){
    $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
  }
  else{
    $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
  }

  # If Account exists set new password, else create Account
  $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
  if ($account) {
    $account = Set-VMHostAccount -UserAccount $account -Password $newPassword
  } else {
    $account = New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
      -Description 'Test user creation' -UserAccount -Server $srv
  }

  # If Permission exists set new Role, else create Permission
  $folder = Get-Folder -Name "root" -Server $srv
  $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
  if (!$perm) {
    $perm = New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
  } else {
    $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
  }

  # Add user to lockdown exceptions
  $esx = Get-VMHost
  $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

  $oldLockDownMode = $accessMgr.LockdownMode
  if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled){
    $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
  }

  $accessMgr.UpdateLockdownExceptions($account)

  if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
    $accessMgr.ChangeLockdownMode($oldLockDownMode)
  }

  Disconnect-VIServer -Server $srv -Confirm:$false
}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Hi LucD,

Thank you for the above, the script creates the role with the correct permissions but fails to create the user and add the user to the exception users list in lockdown mode.

See attached errors for your reference.

Please advise and let me know if I am doing something wrong.

Thanks in advance.

LucD · ‎05-08-2023

The account creation still tries to assign a group, that is not supported anymore.
That is what the error is saying, I don't see anything related to an exception list

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Hi LucD,

Its strange we don't see an error for not adding to the exceptions list. When we try the attached script, it creates the user and adds it to the exception list, but doesn't create the role. Can we use the commands for adding to the exceptions list from the attached and add it to the above script you have created. Then we can test if it works.

LucD · ‎05-08-2023

You can do whatever you want, even ask Wouter.

For me the snippet creates the Role, not sure why it wouldn't work for you.
At least there should be an error message if something goes wrong.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Hi LucD,

Apologies, I was making a silly mistake when editing the script. As always all works like a dream...you Da Genius.

If I want to add two users at the same time (testuser1 and testuser2) can I do this on the same script or do i need to run the script twice changing the newuser field. And will have to add the below somewhere in the above script aswell I assume.

$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$currentUsers = $HostAcces.QueryLockdownExceptions()
$newUsers = $currentUsers + $username
$HostAccess.UpdateLockdownExceptions($newUsers)

LucD · ‎05-08-2023

You could do something like this

$newUsers = "testuser1", "testuser2"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
    ForEach-Object -Process {
        $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
        $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

        # If Role exists assign new privileges, else create Role
        $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
        if ($role) {
            $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
        } else {
            $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
        }

        $accounts = @()
        $newUSers | ForEach-Object -Process {
            # If Account exists set new password, else create Account
            $account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
            if ($account) {
                $account = Set-VMHostAccount -UserAccount $account -Password $newPassword
            } else {
                $account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
                    -Description 'Test user creation' -UserAccount -Server $srv
            }
            $accounts += $account

            # If Permission exists set new Role, else create Permission
            $folder = Get-Folder -Name "root" -Server $srv
            $perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
            if (!$perm) {
                $perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
            } else {
                $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
            }
        }

        # Add users to lockdown exceptions
        $esx = Get-VMHost
        $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

        $oldLockDownMode = $accessMgr.LockdownMode
        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
        }

        $accessMgr.UpdateLockdownExceptions($accounts)

        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode($oldLockDownMode)
        }

        Disconnect-VIServer -Server $srv -Confirm:$false
    }

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Hi LucD,

Perfect, the above works perfectly. I have found the cluster has all the hosts in lockdown mode (Normal) and I need to manually disable the lockdown mode for the script to access the host and run accordingly.

Is there anyway of adding in the script to disable lockdown mode, run the script and enable lockdown mode at the end. I assume you will need to access the vCenter. Happy to add in the vCenter name.

Please advise.

Many Thanks

LucD · ‎05-08-2023

Not while you are connected to the ESXi node itself.
When you have all these ESXi nodes connected to a vCenter, you could probably automate it from there.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mbabu1 · ‎05-08-2023

Thanks LucD,

Is the a sperate small script available I can run to disable/enable the lockdown mode in the environment using the vcenter.

Thanks in advance.

Mo