Hi,
I wish to add host permission for a specific AD account to around 100 ESXi hosts.
I was able to add the permission for a single host.
Connect-VIServer ESXihostname
New-VIPermission -Role Role -Principal ADAccountname -Entity ESXhostname
Disconnect-VIServer ESXihostname
Now i need to execute this in a loop for 100 servers
Please help.
Can you try with the SDK method ?
$esxName = 'MyEsx'
$adName = 'domain\user'
$roleName = 'Admin'
$esx = Get-VMHost -Name $esxName
$authmgr = Get-View $esx.ExtensionData.Client.ServiceContent.AuthorizationManager
$perm = New-Object VMware.VIM.Permission
$perm.Principal = $adName
$perm.group = $false
$perm.propagate = $true
$perm.RoleId = $authmgr.RoleList | where {$_.Name -eq $roleName} | Select -ExpandProperty RoleId
$authmgr.SetEntityPermissions($esx.ExtensionData.MoRef,$perm)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Try something like this
Get-VMHost | %{
Connect-VIServer -Server $_
New-VIPermission -Role Role -Principal ADAccountname -Entity $_
Disconnect-VIServer -Server $_ -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD..
I did something like this...
$vms = get-content servers.txt
foreach ($vm in $vms ) {
Write-host "Connecting to" $vm
Connect-VIServer $vm
New-VIPermission -Role Readonly -Principal ADaccountname -Entity $vm
}
but I get this error message..
However the ADaccountname is available and am able to give the permission by logging in the ESXi server via vsphere client directly
=====================================
New-VIPermission : 4/8/2015 5:57:03 AM New-VIPermission Could not find VIAccount with name
'ADaccountname '.
At C:\Temp\xxx\ADpermission.ps1:6 char:1
+ New-VIPermission -Role Readonly -Principal ADaccountname -Entity $vm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ADaccountname :String) [New-VIPermission], VimException
+ FullyQualifiedErrorId : Core_ObnSelector_SelectObjectByNameCore_ObjectNotFound,VMware.VimAutomation.ViCore.Cmdle
ts.Commands.PermissionManagement.NewVIPermission
New-VIPermission : 4/8/2015 5:57:03 AM New-VIPermission Value cannot be found for the mandatory parameter
Principal
At C:\Temp\xxx\ADpermission.ps1:6 char:1
+ New-VIPermission -Role Readonly -Principal ADaccountname -Entity $vm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-VIPermission], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.PermissionMana
gement.NewVIPermission
====================================
Did you do all the steps as documented in Joining ESXi hosts to a domain and granting permissions with PowerCLI ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Already this host is added to domain, and the account which I use to run this script has full access to the ESxi server.
Is this what you are looking out or it is something different.
No, the post shows how to use the Get-VIAccount cmdlet, and how the returned object can later be used in the New-VIPermission cmdlet.
Does the Get-VIAccount cmdlet return the principal correctly ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
No LucD, am not able to get the output but only error as below.
=-==================================
PowerCLI C:\Temp\xxxx> Get-VIAccount -Domain xxx.com -User -Id ADaccount
Get-VIAccount : 4/8/2015 10:16:30 AM Get-VIAccount VIAccount with id
'ADaccount' was not found using the specified filter(s).
At line:1 char:1
+ Get-VIAccount -Domain xxx.com -User -Id ADaccount
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-VIAccount], VimExceptio
n
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimA
utomation.ViCore.Cmdlets.Commands.PermissionManagement.GetVIAccount
=================================
But I executed the same cmd in another domain of ours and i got the output.
Not sure what is the issue.
Can you try with the SDK method ?
$esxName = 'MyEsx'
$adName = 'domain\user'
$roleName = 'Admin'
$esx = Get-VMHost -Name $esxName
$authmgr = Get-View $esx.ExtensionData.Client.ServiceContent.AuthorizationManager
$perm = New-Object VMware.VIM.Permission
$perm.Principal = $adName
$perm.group = $false
$perm.propagate = $true
$perm.RoleId = $authmgr.RoleList | where {$_.Name -eq $roleName} | Select -ExpandProperty RoleId
$authmgr.SetEntityPermissions($esx.ExtensionData.MoRef,$perm)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
This is the error message I get if I execute the script.
Please advice.
======================================================
Exception calling "SetEntityPermissions" with "2" argument(s): "A specified
parameter was not correct.
entity"
At C:\Temp\xxx\adwmi.ps1:14 char:1
+ $authmgr.SetEntityPermissions($esx.ExtensionData.MoRef,$perm)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException
========================================================
I just tested again, and that seems to work for me without any issue.
I would need to see more information on how you called the function.
Which versions (ESXI, PowerShell) are you using ?
Are you connected to a vCenter or an ESXi ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Am connecting to the ESXi server.
I think this is not the issue with the script, as am able to use this script and add permission successfully in ESXi servers residing in different domains but unable to do in one domain..
command is unable to fetch that particular account from domain.
Thank a lot LucD!!!!