VMware Cloud Community
Pinball
Enthusiast
Enthusiast
‎02-06-2014 12:24 AM

ESXi Local user Update or Add



Hi Luc


I found your previous update on a case "Local User Add" but wanted to do a bit more with it. The original post caters for a brand new user but i need to check first if the user exist, if exist update details as per the standard and if it doesn't then create from scratch.


Current:


$esxlist=

get-vmhost



foreach($esxin$esxlist){


   

Connect-VIServer

-Server$esx-Userroot-Password“password”


    $account=

New-VMHostAccount

-IdOMSAITA-Password"password"-Description"Dell OpenManage User"-UserAccount-GrantShellAccess


   

New-VIPermission

-Entity$esx-Principal$account-Roleadmin


   

Disconnect-VIServer

-Server$esx


}


Please can you help me with checking process and if date if exits.


Thanks

Johan

0 Kudos
10 Replies
LucD
Leadership
Leadership
‎02-06-2014 12:07 PM

Try something like this

$accountName = "OMSAITA"
$accountPswd = "password"
$accountDescription = "Dell OpenManage User"

$esxlist = Get-VMHost
foreach($esx in $esxlist){
    Connect-VIServer -Server $esx -User root -Password "password"
    $rootFolder = Get-Folder -Name ha-folder-root
    Try{
        Get-VMHostAccount -Id $accountName -ErrorAction Stop |
        Set-VMHostAccount -Password $accountPswd -Description $accountDescription
    }
    Catch{
        $account = New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess
        New-VIPermission -Entity $rootFolder -Principal $account -Role admin
    }
    Disconnect-VIServer -Confirm:$false
}

If you need to change the permission as well when the account already exist, you could also do that with a separate Try{} Catch{} construction with the Get-VIPermission cmdlet.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
mellvin
Contributor
Contributor
‎02-11-2014 01:28 PM

Great one Luc. Now one last thing. Need to assign "Administrator" role to the admin group created. If this is done, this will be a complete script where people dont have to share root passwords instead give this user id credentials.

Thanks for the help. Much appreciated.

Regards,

Mellvin

0 Kudos
Pinball
Enthusiast
Enthusiast
‎02-25-2014 03:59 AM

Hi Luc

Sorry for the late reply. So i've tried the version below  however it seems as if the hosts doesn't stay connected to perform the "Catch" part of the script. I've also decided to add a Username never used before so it should be true for all esxi hosts.

Script:

$accountName = "OMSAITA52"

$accountPswd = "password"

$accountDescription = "Dell OpenManage User"

$esxlist = Get-VMHost

foreach($esx in $esxlist){

    Connect-VIServer -Server $esx -User root -Password "password"

    $rootFolder = Get-Folder -Name ha-folder-root

    Try{

        Get-VMHostAccount -Id $accountName -ErrorAction Stop

    }

    Catch{

        $account = New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess

        New-VIPermission -Entity $rootFolder -Principal $account -Role admin

    }

    Disconnect-VIServer -Confirm:$false

}

Error Output:

PowerCLI C:\Users\Johan45\Documents\PS> .\ESXi-NewUser-Good.ps1

Name                           Port  User

----                           ----  ----

dcppesx002.discovery.holdin... 443   root

New-VMHostAccount : 25/02/2014 13:42:59    New-VMHostAccount        The requested operation can only be performed when connected directly to an ESX

server.

At C:\Users\Johan45\Documents\PS\ESXi-NewUser-Good.ps1:13 char:20

+         $account = New-VMHostAccount -Id $accountName -Password $accountPswd -De ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (:) [New-VMHostAccount], VimException

    + FullyQualifiedErrorId : Client20_VmHostServiceImpl_TryGetHostLocalAccountManager_NotConnectedToESX,VMware.VimAutomation.ViCore.Cmdlets.Command

   s.Host.NewVMHostAccount

New-VIPermission : 25/02/2014 13:42:59    New-VIPermission        One or more objects are specified by name. There is no server list explicitly

specified, so an attempt was made to determine a single server by the  managed objects passed to the cmdlet as arguments. However the arguments come

from more than one server which makes it impossible to unambiguously  select single server.

At C:\Users\Johan45\Documents\PS\ESXi-NewUser-Good.ps1:14 char:9

+         New-VIPermission -Entity $rootFolder -Principal $account -Role admin

+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidResult: (System.Collecti...1.VIConnection]:List`1) [New-VIPermission], ViServerConnectionException

    + FullyQualifiedErrorId : Core_ObnSelector_GetClientListFromCmdletParameters_AmbiguousServer,VMware.VimAutomation.ViCore.Cmdlets.Commands.Permis

   sionManagement.NewVIPermission

0 Kudos
LucD
Leadership
Leadership
‎02-25-2014 04:28 AM

It looks like you are working in "multiple" mode (see Set-PowerCLIConfiguration).

Can you try the script while running in "single" mode ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Pinball
Enthusiast
Enthusiast
‎02-25-2014 04:43 AM

HI Luc

Thanks for the super quick response, I've made the change to my Powercli env and it works great now for the first server and then terminates. Based on the script I would assume the "foreach" will cause a loop letting it run trough all the ESXi hosts it fins. If my assumption is correct do you have any suggestion where this might be going wrong?

Johan

0 Kudos
LucD
Leadership
Leadership
‎02-25-2014 04:51 AM

Well, the script assumes you are connected to the vCenter when you start the script. That way the line

$esxlist = Get-VMHost


will find all ESXi servers.

The script then connects to the ESXi servers one-by-one, and this is where the script needs to be running in "single" mode.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
AnthBro
Enthusiast
Enthusiast
‎03-06-2014 04:32 PM


Shouldn't the disconnect read

Disconnect-VIServer -server $esx -Confirm:$false

Any views or opinions presented in this post are solely those of the author and do not necessarily represent those of the company he works for.
0 Kudos
LucD
Leadership
Leadership
‎03-08-2014 02:43 AM

Only when you are not running in single mode, then there is only 1 connection active.

But you could still add the Server parameter, to make it more visible to the users of your script.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
esxi1979
Expert
Expert
‎11-15-2015 09:25 AM 

$accountName = "OMSAITA"
$accountPswd = "password"
$accountDescription = "Dell OpenManage User"

$esxlist = Get-VMHost


In above it fails saying nothing connected ? Do we need to connect to vcenter 1st ? Also the role admin here is present on all esxi nodes locally ? or its on vcenter ?
0 Kudos
esxi1979
Expert
Expert
‎11-15-2015 09:27 AM

Pls ignore .. i got it.. single mode..

0 Kudos