Hi. I am running through the Security Configuration Guide, specifically ID ESXi.audit-exception-users and found i get the following error when running the sample code
At line:23 char:30
+ if ($hostaccountname.Name)
+ ~
Missing statement block after if ( condition ).
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingStatementBlock
The code is as follows:
#Sample code to check each local user on an ESXi host
#against the list in vCenter's exception user list. Also checks
#to see if the local user has administrator privleges.
#
# Provide the username and password of an account on your ESXi hosts.
# Provide the name of your vCenter Server
$esxusername = "root"
$esxpassword = "VMware1!"
$vCenterServer = "vcsa.lab.local"#Ensure all connections are dropped.
Disconnect-VIServer -Force -server * -Confirm:$false# You may need to provide the username and password of your vCenter server below
connect-viserver $vCenterServer
$esxihosts = get-vmhost#
foreach ($esxihost in $esxihosts)
{
Write-Host "Host is: " $esxihost
Write-host "Exception Users from vCenter"
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
$LDusers = $lockdown.QueryLockdownExceptions()
Write-host $LDusers# Connect to each ESXi host in the cluster to retrieve the list of local users.
Write-Host "Lockdown user: " $LDuser
Write-host "Connecting to: " $esxihost
Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword#Loop through the list of Exception Users and check to see if they have accounts on
#the ESXi server and if that account in an administrator account.
foreach ($LDuser in $LDusers)
{Write-host "Get-vmhostaccount"
$hostaccountname = get-vmhostaccount -ErrorAction SilentlyContinue $LDuser
write-host "Check to see if user exists"
if ($hostaccountname.Name)
Write-Host $hostaccountname.Name
{
Write-Host "Get-VIPermission"
$isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where {$_.Role –eq “Admin”}
Write-host "Admin Role: " $isadmin.Role
if ($isadmin.Role -eq "Admin") {Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost}
}
Disconnect-VIServer -Server $global:DefaultVIServer -Force -Confirm:$false
}
}
Having run through it, i think a { may just be in the wrong place... Should the last section be as follows?
if ($hostaccountname.Name)
{ Write-Host $hostaccountname.Name
Write-Host "Get-VIPermission"
$isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where {$_.Role –eq “Admin”}
Write-host "Admin Role: " $isadmin.Role
if ($isadmin.Role -eq "Admin") {Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost}
}
Yes, I suspect that the Write-Host ended up in the wrong place.
It should probably be like this
#against the list in vCenter's exception user list. Also checks
#to see if the local user has administrator privleges.
#
# Provide the username and password of an account on your ESXi hosts.
# Provide the name of your vCenter Server
$esxusername = "root"
$esxpassword = "VMware1!"
$vCenterServer = "vcsa.lab.local"
#Ensure all connections are dropped.
Disconnect-VIServer -Force -server * -Confirm:$false
# You may need to provide the username and password of your vCenter server below
connect-viserver $vCenterServer
$esxihosts = get-vmhost
#
foreach ($esxihost in $esxihosts) {
Write-Host "Host is: " $esxihost
Write-host "Exception Users from vCenter"
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
$LDusers = $lockdown.QueryLockdownExceptions()
Write-host $LDusers
# Connect to each ESXi host in the cluster to retrieve the list of local users.
Write-Host "Lockdown user: " $LDuser
Write-host "Connecting to: " $esxihost
Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword
#Loop through the list of Exception Users and check to see if they have accounts on
#the ESXi server and if that account in an administrator account.
foreach ($LDuser in $LDusers) {
Write-host "Get-vmhostaccount"
$hostaccountname = get-vmhostaccount -ErrorAction SilentlyContinue $LDuser
write-host "Check to see if user exists"
if ($hostaccountname.Name) {
Write-Host $hostaccountname.Name
Write-Host "Get-VIPermission"
$isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where { $_.Role –eq “Admin” }
Write-host "Admin Role: " $isadmin.Role
if ($isadmin.Role -eq "Admin") { Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost }
}
Disconnect-VIServer -Server $global:DefaultVIServer -Force -Confirm:$false
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes, I suspect that the Write-Host ended up in the wrong place.
It should probably be like this
#against the list in vCenter's exception user list. Also checks
#to see if the local user has administrator privleges.
#
# Provide the username and password of an account on your ESXi hosts.
# Provide the name of your vCenter Server
$esxusername = "root"
$esxpassword = "VMware1!"
$vCenterServer = "vcsa.lab.local"
#Ensure all connections are dropped.
Disconnect-VIServer -Force -server * -Confirm:$false
# You may need to provide the username and password of your vCenter server below
connect-viserver $vCenterServer
$esxihosts = get-vmhost
#
foreach ($esxihost in $esxihosts) {
Write-Host "Host is: " $esxihost
Write-host "Exception Users from vCenter"
$myhost = Get-VMHost $esxihost | Get-View
$lockdown = Get-View $myhost.ConfigManager.HostAccessManager
$LDusers = $lockdown.QueryLockdownExceptions()
Write-host $LDusers
# Connect to each ESXi host in the cluster to retrieve the list of local users.
Write-Host "Lockdown user: " $LDuser
Write-host "Connecting to: " $esxihost
Connect-VIServer -Server $esxihost -user $esxusername -Password $esxpassword
#Loop through the list of Exception Users and check to see if they have accounts on
#the ESXi server and if that account in an administrator account.
foreach ($LDuser in $LDusers) {
Write-host "Get-vmhostaccount"
$hostaccountname = get-vmhostaccount -ErrorAction SilentlyContinue $LDuser
write-host "Check to see if user exists"
if ($hostaccountname.Name) {
Write-Host $hostaccountname.Name
Write-Host "Get-VIPermission"
$isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where { $_.Role –eq “Admin” }
Write-host "Admin Role: " $isadmin.Role
if ($isadmin.Role -eq "Admin") { Write-Host $LDuser is an "Exception User with Admin accounts on " $esxihost }
}
Disconnect-VIServer -Server $global:DefaultVIServer -Force -Confirm:$false
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference