VMware Cloud Community
Pb981
Contributor
Contributor
Jump to solution

Host user add, custom UID&GID and role assignment

Hello community,

I have this committment

Enviroment : Multiple vcenters from 4.1 to 6.5

Requests:

  • Create 2 new host users
  • Give them a custom UID and GID
  • Assign them the Administrator role
  • Shell access

Until now i know i can create users on multiple hosts by  New-VMHostAccount using PowerCli, i can change UID with ssh command /usr/lib/vmware/auth/bin/chuid and assign them to Administrator role via vsphere client.

Seems there is no way to do all of it using only PowerCli and seems there is no way at all to change the GID for 5.1 and above.

Please, prove me i am wrong (i am sure i am...)

Thanks

Fabio

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

As I tried to explain before, the name of the 'root' folder has changed in the different ESXi versions.

In your case you will need to use ha-root-folder instead of root.

The script should be

$esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd

$user = New-VMHostAccount -Server $esxSrv -Id testuser1 -Password VMware1! -UserAccount -GrantShellAccess

$rootFolder = Get-Folder -Name ha-folder-root -Server $esxSrv

$role = Get-VIRole -Name Admin -Server $esxSrv

New-VIPermission -Entity $rootFolder -Principal $user -Role $role


Disconnect-VIServer -Server $esxSrv -Confirm:$false


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
13 Replies
LucD
Leadership
Leadership
Jump to solution

You are right, local groups are abolished since 5.1.

You can give a new user the required rights by using the role.

Note that you need to connect to the ESXi node to use New-VMHostAccount for ESXi users.

Also note that the root folder has been having different names in different ESXi versions (in 6.7 it is 'root').
Doing this for 2 user accounts is trivial I assume.

$esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd

$user = New-VMHostAccount -Server $esxSrv -Id testuser1 -Password VMware1! -UserAccount -GrantShellAccess

$rootFolder = Get-Folder -Name root -Server $esxSrv

$role = Get-VIRole -Name Admin -Server $esxSrv

New-VIPermission -Entity $rootFolder -Principal $user -Role $role


Disconnect-VIServer -Server $esxSrv -Confirm:$false


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

Thanks LucD, is there a way to integrate the UID assignment or do i have to treat it as a different task?

Fabio

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

No, not with the PowerCLI cmdlet, nor with any of the ESXi commands (like esxcli, vicfg-user...).
The concept of a uid for an ESXi user is abandoned after ESXi 5.1 afaik.


You can go in the /etc/passwd file and change the value there, but I suspect it has no use and might be overwritten after a reboot.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

Hello LucD

I managed to run it for multiple hosts, of for user create but i still have issues for role assignment

This is what i'm using right now

$esxSrv="HOST2","HOST2"

Foreach ($esxSrv In $esxSrv)

{

Connect-VIServer -Server $esxSrv -User root -Password @@@@

$user = New-VMHostAccount -Server $esxSrv -Id testuser2 -Password VMware1! -UserAccount -GrantShellAccess

$rootFolder = Get-Folder -Name root -Server $esxSrv

$role = Get-VIRole -Name Admin -Server $esxSrv

New-VIPermission -Role Admin -Principal testuser2 -Entity $rootFolder

Disconnect-VIServer -Server $esxSrv -Confirm:$false

}

I have this error

pastedImage_10.png

I tried using the ha-folder-root as root folder  but i got this instead

pastedImage_13.png

Checked with Get-ViAccount and i get

pastedImage_17.png

What am i missing?

Thanks Smiley Happy

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

When you are connected to an ESXi node, you need to give the permission on the 'root' folder.

But they changed the name of the 'root' folder in recent ESXi versions.

It could be 'ha-root-folder' instead of 'root'.

Connect to an ESXi node and do a Get-Folder, you should see what the name is in the ESXi version you are using.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

I already tried it, maybe you missed in the other post, this single command's output.

pastedImage_2.png

I think i am missing some stupid thing, i am sorry but my powercli expertise is quite low

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Can you show the output of the Get-Folder cmdlet, not the Get-VIAccount?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

Sure

pastedImage_0.png

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

As I tried to explain before, the name of the 'root' folder has changed in the different ESXi versions.

In your case you will need to use ha-root-folder instead of root.

The script should be

$esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd

$user = New-VMHostAccount -Server $esxSrv -Id testuser1 -Password VMware1! -UserAccount -GrantShellAccess

$rootFolder = Get-Folder -Name ha-folder-root -Server $esxSrv

$role = Get-VIRole -Name Admin -Server $esxSrv

New-VIPermission -Entity $rootFolder -Principal $user -Role $role


Disconnect-VIServer -Server $esxSrv -Confirm:$false


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

Sorry LucD, but is exactly what i did if you look at the screens Smiley Happy

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

It looks like you are connected to multiple servers.

Check what is in $global:defaultVIServers, and make sure there are no connections open before you run the script.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pb981
Contributor
Contributor
Jump to solution

pastedImage_0.png

Maybe something in the syntax?

New-VIPermission -Entity ha-folder-root -Role Admin -Principal testuser

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

No, you are not doing what I provided.
You have to get the folder in a variable and the role as well.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos