VMware Cloud Community
dmcgovern
Contributor
Contributor
‎11-08-2020 04:17 PM

Having issues with adding a user to the exceptions lists

So I am having a problem with this script, I am trying to add on to the exceptions list for lockdown mode. And when I run it, it is replacing the whole list of users with just one user. Is there a way I can add on instead of replacing the whole list? I am trying to help automate the onboarding procedures for vcenter/esxi. The idea I thought might work is to call upon a csv with the list of users and just have the script initially add the new user to that csv. But I hoping there is a better way of keeping the exceptions list in tacked. 

 

##############################################
# PowerCLI to create users and give them proper permissions
# Writen by McLovin on 11/03/2020
#############################################
$Credential = Import-CliXml -Path /Host_adminCred.xml
$esxihost = @(Host_Ip)
$vcenter = @(Vcenter_ip)
Connect-VIServer -Server $esxihost -Credential $Credential | Out-null
Write-host "Connected to $esxihost"
$username = read-host 'Input username'
$pass = read-host 'Input password'


foreach($esx in $esxihost){
Try{
Get-VMHostAccount -User $username -Server $esx -ErrorAction Stop
Write-host "$username is already in use."
}
Catch{
$user = New-VMHostAccount -Id $username -Password $pass -description Administrator -Server $esx
Write-host "$username has been created on $esx"
$rootfolder = Get-folder -server $esx -name root | select -first 1
New-ViPermission -Entity $rootfolder -Principal $username -Role Admin -Server $esx | out-null
Write-host "$username has been given $rootfolder permissions on $esx"

}
}

##############################################
# PowerCLI to add created user to the expections users and enable lockout mode.
# Writen by McLovin on 11/05/2020
#############################################
$AdminCredential = Import-CliXml -Path /VCA_AdminCred.xml
Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-null
Write-host "Connected to $vcenter"
$hosts = Get-VMhost

Foreach($vmhost in $hosts){
try{
$status = (Get-VMHost -name $vmhost).ExtensionData.Config.LockdownMode # checks lockdown mode
write-host "$status is set on $vmhost"
if($status -eq "lockdownDisabled"){
(get-vmhost $vmhost | get-view).EnterLockdownMode() # sets lockdown mode to enabled.
write-host "Lockdown is now set to enabled on $vmhost"
}
}
catch{
(Get-VMHost -name $vmhost).ExtensionData.Config.LockdownMode
write-host "Lockdown is already set to enabled on $vmhost"
}
$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$HostAccess.UpdateLockdownExceptions($username)
Write-host "$username has been added to the Exception Users List on $vmhost"
}


Write-host "Disconnecting from $esxihost"
Disconnect-VIServer -Server $esxihost -Force -confirm:$false
Write-host "Disconnecting from $vcenter"
Disconnect-VIServer -Server $vcenter -Force -confirm:$false

Reply
0 Kudos
3 Replies
LucD
Leadership
Leadership
‎11-08-2020 11:20 PM

I don't think you should use a try-catch construction in your 2nd script.
There is no terminating error in that try-block that would help you achieve what you are trying to do.

Also, the disconnect from the ESXi node at the end of the 2nd script seems out of place.

Try something like this for the 2nd part.

$AdminCredential = Import-Clixml -Path /VCA_AdminCred.xml
Connect-VIServer -Server $vcenter -Credential $AdminCredential | Out-Null
Write-Host "Connected to $vcenter"
$hosts = Get-VMHost

Foreach ($vmhost in $hosts) {
    $status = (Get-VMHost -name $vmhost).ExtensionData.Config.LockdownMode # checks lockdown mode
    Write-Host "$status is set on $vmhost"
    if ($status -eq "lockdownDisabled") {
        (Get-VMHost $vmhost | Get-View).EnterLockdownMode() # sets lockdown mode to enabled.
        Write-Host "Lockdown is now set to enabled on $vmhost"
    }
    else
        Write-Host "Lockdown is already set to enabled on $vmhost"
    }
    
    $HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
    $HostAccess.UpdateLockdownExceptions($username)
    Write-Host "$username has been added to the Exception Users List on $vmhost"
}


#Write-Host "Disconnecting from $esxihost"
#Disconnect-VIServer -Server $esxihost -Force -confirm:$false
Write-Host "Disconnecting from $vcenter"
Disconnect-VIServer -Server $vcenter -Force -confirm:$false


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
dmcgovern
Contributor
Contributor
‎11-09-2020 12:22 PM

Hey LucD,

 

Thanks for the advice on the 2nd function but that's not the problem I am having. The issue is that when I run this script it completely replaces the exception list with the newly created user. Is there a way I can just add a user to this list? If not I can think up a way to fix my problem.

Reply
0 Kudos
LucD
Leadership
Leadership
‎11-09-2020 12:28 PM

Ok, I see.

In that case, first get the current list, then add the user and then call the method.

$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$currentUsers = $HostAcces.QueryLockdownExceptions()
$newUsers = $currentUsers + $username
$HostAccess.UpdateLockdownExceptions($newUsers)

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply