VMware Cloud Community
Deker72
Contributor
Contributor
‎02-28-2018 05:41 AM

Get-VIPermission error when passing -Principal value

Hi,

I'm working with Azure Site Replication and have a strange issue which I can only think is permission based as the following happens when running the following command from PowerCLI:

Get-VIPermission -Entity (get-datacenter) -Principal <domain\user>

if I run the command as a user with full administrative privileges in VMware then it works fine and brings back the information for the user, however if I run the command as a general user I get the following error:

Get-VIPermission : 28/02/2018 12:35:29    Get-VIPermission        Value cannot

be null.

Parameter name: collection   

At line:1 char:1

+ Get-VIPermission  -Principal **\*********

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Get-VIPermission], VimExcepti

   on

    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomatio

   n.ViCore.Cmdlets.Commands.PermissionManagement.GetVIPermission

If I run the command without the "-Principal <domain\user>" then it works and brinks back a list of all roles and their principles, we modify the query to the one below it works :

Get-VIPermission -Entity (Get-Datacenter) | where {$_.principal -eq "**\*******"}

unfortunately I can't change any scripts as it's part of the Azure Site Replication tools but can anyone explain why passing the -Principal <domain\user> causes the initial command to fail and if possible how to fix it, it would initially appear to be a user restriction as it works with an admin account but I have no idea where it would be restricted?

Thanks

Derek

0 Kudos
8 Replies
LucD
Leadership
Leadership
‎02-28-2018 05:45 AM

Is the Principal of the format domain\user and are you by any chance using wildcards in there?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership
‎02-28-2018 05:48 AM

And which PowerCLI version are you using?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Deker72
Contributor
Contributor
‎02-28-2018 05:55 AM

Hi,

Yes I'm sending an actual domain user (no wild cards) so  ad\joe_bloggs   (I've tried surrounding it with " & ' too but get the same error).

PowerCLI version number is 6.0.0.7254 and build number 2548067   (I can go newer if I need too)

Thanks for the very quick reply.

Derek

0 Kudos
LucD
Leadership
Leadership
‎02-28-2018 06:07 AM

I just tried with PowerCLI 6.5.4 and can't reproduce the issue.

Perhaps worth trying an upgrade.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Deker72
Contributor
Contributor
‎02-28-2018 06:44 AM

Hi,

Just tried it on a later version of PowerCLI (well a colleague has) and we're getting the same the issue account used has readonly at the VC level and propagates down if that makes a difference?

0 Kudos
LucD
Leadership
Leadership
‎02-28-2018 07:27 AM

No, that shouldn't make a difference, you are only reading the permissions.

Out of curiosity, do you also see the issue when you take a Principal from the SSO domain (something like administrator@vsphere.local)?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Deker72
Contributor
Contributor
‎02-28-2018 07:55 AM

trying with the administrator@vsphere.local account brings a different error (Object not found) which is odd as that shows that it at least passed the principle across whereas the original err is a Value cannot be null error even though it's not null and works with an account with administrator privileges

0 Kudos
LucD
Leadership
Leadership
‎02-28-2018 08:49 AM

Looks like there might be something wrong with a service or authentication.

Is restarting your VCSA an option?

Or else open a SR, this doesn't resemble anything I have seen before.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos