Sivaramsharmar
Enthusiast
Enthusiast

Any way to check ESXi root password Changed Date through PowerCLI

Hi All,

Is there Any way to check ESXi root password Changed Date through PowerCLI.

ESXi version : 6.0

vCenter : 6.0

0 Kudos
4 Replies
LucD
Leadership
Leadership

Yes, the change will create a UserPasswordChanged event.

You can get those events and the date with the following.

$esxName = 'MyEsx'

Get-VIEvent -Start (Get-Date).AddMinutes(-15) -MaxSamples ([int]::MaxValue) |

where { $_ -is [VMware.Vim.UserPasswordChanged] -and $_.UserName -eq 'root' -and $_.Host.Name -eq $esxName } |

Select CreatedTime, FullFormattedMessage

You can run this against a connection to a vCenter or a connection against an ESXi node.

On an ESXi node events are kept for about 1 hour, on a vCenter events are kept for the valu


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Sivaramsharmar
Enthusiast
Enthusiast

Hi Lucd,

As there is a time factor involved as per the log retention period of ESXi & vCenter as  you said, I tried for alternate approach.

I have gone through couple of blogs and found below command.

Below command is working only on ESXi 6.5 and above.

[root@localhost:~] myDays=$(cat /etc/shadow | grep root | awk -F ":"'{print $3}')

[root@localhost:~] date -d "1970-01-01 +$(($myDays *24))"

We have more servers running on ESXi 6.0 environment and above command is not working.

Is there any way that we can execute above command through PowerCLI which will work both on ESXi 6.0 & 6.5.

0 Kudos
LucD
Leadership
Leadership

The following can do this (there seems to be an error in your code).

It assumes that you have the Posh-SSH module installed (see Use Posh-SSH instead of PuTTY)

$esxName = 'MyEsx'

$cred = Get-Credential -Message "Credentials for $esxName"

$esx = Get-VMHost -Name $esxName

$cmdSub = @'

days=$(awk -F":" '$1 == "root" {print $3}' /etc/shadow)

seconds_since_epoch=$((days*60*60*24))

date --date=@$((seconds_since_epoch))

'@


$session = New-SSHSession -ComputerName $esx.Name -Credential $cred -AcceptKey

$result = Invoke-SSHCommand -SSHSession $session -Command $cmdSub

Remove-SSHSession -SSHSession $session | Out-Null


$result.Output


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership

It looks as if the root password age is returned as Sat Jul 29 00:00:00 UTC 2006 when you still are using the original password defined during the installation of ESXi.

At least that is what I seem to see in ESXi 6.7


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos