Re: Creating local accounts on ESX hosts with New-...

MetalizedBlood · ‎01-13-2011

Hello,

Here is what I'm trying to do : I want to create a script that is going to create a local user account on all ESX hosts and grant access via VIC to all those hosts using the user's credentials. Then, I want to change the root user password on all the hosts. Should something go wrong with changing the root password, I'll be able to log on the hosts with VIC client directly using the new user that has been created and reset root password.

I'm able to create the accounts on all hosts but I'm not able to access the hosts directly using VIC client once the user is created. I do not want to login to each host and grant permission manually to account I created.

Here is the relevant part of the script I wrote:

#Current root credentials
$username = Read-Host "Enter username"
$password = Read-Host "Enter password"

#New root account password
$newpassword = Read-Host "Enter the new root password"

#Esx server list

$esxservers = esxserver1.domain.com, esxserver2.domain.com

foreach ($server in $esxservers)
    {
        Connect-VIServer -Server $server -user $username -password $password
        New-VMHostAccount -Id newuser -Description "New Admin User" -PassWord test123test -GrantShellAccess:$true -AssignGroups root, bin, daemon
        Disconnect-VIServer * -Confirm:$false
    }

So far, the user is created sucessfully on all hosts. The problem is acessing the hosts with VIC client directly using the new credentials.

Any ideas?

I tried changing the root passwords using another script in the test environnment and all went well. However I want to be able to roll back should something go wrong. I want to avoid the situation where I have to reboot the hosts, go to single mode and reset the passwords...

I hope that the question is clear.

LucD · ‎01-13-2011

You will have to give that new user a 'role' before you can connect.

You can automate testing the new admin account in the script.

#Current root credentials 
$username = Read-Host "Enter username" 
$password = Read-Host "Enter password"
 

#New root account password 
$newpassword = Read-Host "Enter the new root password"
#Esx server list
 $esxservers = esxserver1.domain.com, esxserver2.domain.com

foreach ($server in $esxservers)
    {
        Connect-VIServer -Server $server -user $username -password $password
        New-VMHostAccount -Id newuser -Description "New Admin User" -PassWord test123test  -GrantShellAccess:$true -AssignGroups root, bin, daemon
        New-VIPermission -Entity $server -Principal "New Admin User" -Role "Admin"

        $testConnect = Connect-VIServer -Server $server -User "New Admin User" -Password test123test
        if(!$testConnect){
            Write-Host "Problem with new account on" $server
        }
        else{
            Disconnect-VIServer -Server $testConnect -Confirm:$false
        }
        
        Disconnect-VIServer * -Confirm:$false
    }

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

MetalizedBlood · ‎01-14-2011

Thanks LucD.

With a bit of tweaking it worked. I encountered a few problems when using -AsSecureString when entering passwords but I found a way to convert the secure string to plain text in order to be able to set root password using Set-VMHostAccount command:

#Connect to all ESX hosts where the account is to be modified

$rootaccountpassword = Read-Host "Enter new root account password" -AsSecureString:$true

$temp = New-Object System.Management.Automation.PsCredential “None”,$rootaccountpassword

$newpassword = $temp.GetNetworkCredential().Password

MB

IrishVM · ‎02-11-2011

Needs testing

$VIserver = Read-Host "Enter Virtual Center Server "
$Cluster = Read-Host "Enter Cluster. Leave Blank to add user to all hosts"
$Username = Read-Host "Enter User to add"
$Password = Read-Host "Enter Password for $Username"
$Role = Read-Host "Enter role for user example admin, readonly"

Connect-VIServer -Server $VIServer
if ($Cluster -ne $null){
$hosts = Get-Cluster $Cluster | Get-VMHost
}
if (Cluster -eq #null){
$hosts = Get-VMHost
}
Disconnect-VIServer -Server $VIserver -Confirm:$False
foreach ($vmhost in $hosts){
$hostnamevm = $vmhost.name
Connect-VIServer $hostnamevm
New-VMHostAccount -Id $username -Password $password -UserAccount
$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal $username -Role $Role -Propagat 1
Disconnect-VIServer -Server $hostnamevm -Confirm:$False
}

Sam30 · ‎03-24-2011

LucD

I was testing your script step by step before running it entirely

#Connects to ESX server --> Works

Connect-VIServer -Server $server -user $username -password $password

#Created a new account with attributes given in the liner --> Works

New-VMHostAccount -Id newuser -Description "New Admin User" -PassWord test123test  -GrantShellAccess:$true -AssignGroups root, bin, daemon

Now the below one is not working

New-VIPermission -Entity $server -Principal "New Admin User" -Role "Admin"

I used it as :-

New-VIPermission -Entity "ESX FQDN SERVRER NAME" -Principal "New Admin User" -Role "Read-Only"

But I'm getting the below error :-

New-VIPermission : 3/24/2011 7:01:38 AM    New-VIPermission        Could not fi
nd VIObject with name 'ESX FQDN SERVRER NAME'.
At line:1 char:17
+ New-VIPermission  <<<< -Entity "ESX FQDN SERVRER NAME" -Role "Read-only"
New-VIPermission : 3/24/2011 7:01:38 AM    New-VIPermission        Could not fi
nd Role with name 'Read-only'.
At line:1 char:17
+ New-VIPermission  <<<< -Entity "ESX FQDN SERVRER NAME" -Role "Read-only"
New-VIPermission : 3/24/2011 7:01:38 AM    New-VIPermission        Value cannot
 be found for the mandatory parameter Entity
At line:1 char:17
+ New-VIPermission  <<<< -Entity "ESX FQDN SERVRER NAME" -Role "Read-only"

What I'm trying to do is creating a user & providing Read-only access to that user on the root of ESX boxes (not on any particular folder or VM on that esx but on the ESX box itself) as the user is required for monitoring purposes. Although the built in "Read-only" role already exists. I also tried by manually creating a new role and assigning that role to the new user ID created, just to check if the error is coming only for the already created in-built roles . But even that didn't work

Let me know if you could correct something.

Thanks

LucD · ‎03-24-2011

That error comes from the fact that you can not use the Object By Name (OBN) feature on the Entity parameter.

It has to be a VI Object, not the name of the object.

You could do

...
$esx = Get-VMHost -Name "ESX FQDN SERVRER NAME"
New-VIPermission -Entity $esx -Principal "New Admin User" -Role ..."Read-Only"
...

That should work

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Sam30 · ‎03-25-2011

Thanks LucD

Yep that's working . How about the Role I was taking about ?

It's not accepting the role names which are already created in VC "Administrator, Noaccess, Read-only"

Only role I could try was giving admin access that too by putting the role name as -Role "admin" and not as -Role "Administrator"

Where can I check which are the other roles present other then admin ?

As I'm looking for Read-only permissions!

Thanks

Sam

LucD · ‎03-25-2011

This thread was about host accounts, so you can only assign host roles.

While connected to the ESX(i) host, do a

Get-VIRole

That should list the available roles.

Note that the vCenter roles are different.

You can list those while connected to the vCenter.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Sam30 · ‎03-25-2011

I got it working .

For everyone else in case you are looking for Read-only or No access permissions. you'll have to use :-

-Role "readonly"

NOT -Role "Read-only"

-Role "noaccess"

NOT -Role "No Access"

Although would still like to know if these all names are defined somewhere coz what VC has the role names are not the ones can be used in PCLi

Thanks

Sam

Sam30 · ‎03-25-2011

Hi LucD

Well one more thing I found is if I give the entity name as ESX server name like you gave as "-

$esx = Get-VMHost -Name "ESX FQDN SERVRER NAME"
New-VIPermission -Entity $esx -Principal "New Admin User" -Role "readonly"

It shows me the permissions in roles as :-

And if I use entity name as "ha-folder-root" as :-

New-VIPermission -Entity ha-folder-root -Principal "New Admin User" -Role "readonly"

It shows me as below like it generally shows for inbuilt users "root & vpxuser" in Administrator roles :-

So what's the difference in these?? Which one is better way to use??

Thanks

Sam

LucD · ‎03-25-2011

The difference is the place in the vSphere hierarchy where you apply the permission.

The hierarchy looks as follows (with a connection to an ESX(i) server):

ha-folder-root
         |
ha-datacenter
         |
ha-folder-host (hidden folder)
         |
esx server

So if you apply a permission on the ha-folder-root, and you select propagate, it will apply the same permission on all objects starting from the root.

If the permission is applied on the esx server, it will be only on all object starting at the esx server node in the hierarchy. You will for example, not have that permission on the datacenter to which the ESX(i) server belongs.

I hope this clarifies this at least a bit 🙂

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Sam30 · ‎03-27-2011

Thanks LucD for trying to clarify all this by now.

But if you see the screenshot it DOES show that I get permissions on the ha-root-folder, esx host, resources under that..so everything that local host has:-

And if I apply directly on ha-root-folder that also shows I get everything under ha-root-folder for that paritcular host

Just to mention I've not applied this on the complete VC by connecting to it via PCLi but I connected directly to ESX host via PCLi & tried applying the above kind of permissions

LucD · ‎03-27-2011

Couldn't this be explained by the fact that the default value for the Propagate parameter is $true.

Perhaps include the command you used to set that permission ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Creating local accounts on ESX hosts with New-VMHostAccount