Automation

Hello everyone,

I was wondering if there was anyway to add and remove users from a Windows Server 2003 system using PowerCLI.  Ideally, I was hoping to find a way to eventually automate a way to add and cancel accounts through script.

Thanks for any advice anyone can give or if you can push me in the right direction.

Best

If your W2K3 guests fullfill the requiremenst of the Invoke-VMScript cmdlet, you can launch a script (BAT file) inside the guest and in that script use something like this to create the user

net user user password /add

See KB251394 for more info on the net user command

Hello, Proxmire-

Sounds like you are talking about adding/removing local accounts on the given Win2003 server.  You can use the built-in "net.exe" to do so:

net.exe user myNewUser newUserPassw0rd /add

To do this remotely, you would not necessarily need to use PowerCLI -- you could use something like psexec.exe from Sysinternals (now owned by Microsoft):

## prompts for admin user's password
psexec.exe -u someAdminUser \\myVM net.exe user myNewUser newUserPassw0rd /add

But, that requires that the VM have network connectivity.  If you are doing this on a VM that may not have connectivity at the time (say, during the provisioning process, maybe), or if you just want to use PowerCLI, you can use the Invoke-VMScript cmdlet, like:

## runs on target VM, even if the OS cannot be contact via network, but requires that VMTools are running
$credGuest = Get-Credential someAdminUser  ## get credentials for an admin user on the VM
Invoke-VMScript -VM myVM -ScriptText "net.exe user myNewUser newUserPassw0rd /add" -ScriptType Bat -GuestCredential $credGuest -Confirm:$false

Note:  in PowerCLI v4.x, you need to use the 32-bit version of PowerCLI.  The release notes for PowerCLI v5 say that this limitation is removed, but I have not yet verified.

If you are not familiar with it, net.exe can do many other things, like delete local users, list local group info, add local/domain users to local groups, etc.

Message was edited by mattboren at 5:24pm:  ah, LucD already got it for you...

Thank you so much guys for both of your answers.  Both solutions I believe would work very well.  I do have some experience with the Invoke-VMscript cmdlet that LucD introduced me to in a few of my other discussion questions.  PsExec looks very handy though.  I've downloaded it and I did have some questions on how it works and how to connect.

Once it's in the executable path, I read that you need to connect to each remote computer by the computer name:

For example: psexec \\computer1

Would this only work if each VM had a unique computer name?

Would there be anyway to connect possibly by using the IP address?

I do have administrator access for all of them so any permissions issues wouldn't be a problem with the right credentials.  I'm just foggy on how PsExec recognizes just the computer name and then connects to it without any IP address information.

psexec \\10.3.1.1 -u administrator -p password would work really well.

Thanks again for your help and any additional clarifications you can give!

Best

After fiddling around with it some more I found that connecting using the IP address does indeed work, but it seems that I can only do it from between VMs on the same host and can't connect with PsExec from a VM on one host to a VM on a different host.  My own computer can't connect to any of them either.  All of the VMs don't have any firewalls on them either.

Is this something that is inherent with how the PsExec software works or just changes with how I need to set up my own network?

Thanks again.

Best

Did these machines join an Active Directory ?

Do you have DNS and/or WINS configured ?

Hello LucD,

They are joined to an Active Directory with the DNS configured.  Would this prevent them from communicating between each other?

No, I was aking because you can't seem to do a 'psexec \\computername'.

The name should be resolved through DNS and/or WINS, so there shouldn't be any need to pass to IP addresses.

The fact that you apparently can't communicate from a VM on host A to a VM on host B, could be caused by the network topology both these servers have. Do you have the same portgroup (with the same VLAN) defined on both hosts ?

Are both VMs connected to that portgroup ?

Hello guys,

I found the issue that wasn't allowing  me to connect between hosts which I initially managed to overlook.  For  some reason, the VM on the separate host didn't have the Admin$ share  enabled by default which wasn't allowing psexec to connect.  I had to  edit the registry to set the AutoSharesServer value to 1, so that  restarting the Server services would create the Admin$ share in the  Shared Folder.  Once I did this I could connect perfectly from one  administrator account on a VM to another regardless of the host.

I also tried connecting with psexec using the NetBios  name of the VM as you guys suggested, which works very nicely.  I had no  idea that this could be done but it makes sense since they are all in  the same domain and each VM has a unique name.

Thanks so much again for both of your help.

This has brought me much closer to automating the process of canceling and creating accounts.  I'll just throw the psexec commands into some sort of script and I should be partway there.

Best