Re: How to retrieve group membership from PowerCLI...

SweetJ21 · ‎04-17-2014

It seems like a pretty simple thing to look for, I just want an export saying Group A has these members, Group B has these members, etc.

I haven't been able to figure it out, but I am just starting out with PowerCLI.

I can get a list of all users or all groups easily enough with Get-VIAccount, but I don't know how to view the relationship between them.

(edit) Just to clarify, this is without using any AD or LDAP. The local account database for Vcenter.

LucD · ‎04-17-2014

Are you referring to the local groups on the vCenter server ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

SweetJ21 · ‎04-22-2014

Yes, the local groups on the vCenter.

byroniwett · ‎12-28-2018

I, too, have come to a dead end in my search for such a solution. Have you found a solution?

I want to get a list of al the members of the various vsphere.local groups using PowerCLI.

I can get the groups, but cannot figure out how to get the members.

get-viaccount -Group -domain vsphere.local | ft -a

Help...!

byroniwett · ‎12-28-2018

I, too, have come to a dead end in my search for such a solution. Have you found a solution?

I want to get a list of al the members of the various vsphere.local groups using PowerCLI.

I can get the groups, but cannot figure out how to get the members.

get-viaccount -Group -domain vsphere.local | ft -a

Help...!

LucD · ‎12-28-2018

No public API for SSO I'm afraid, but you can call the dir-cli command via a SSH session to the VCSA.
You will need to have the Posh-Ssh module installed, and SSH on your VCSA needs to be enabled.

You can do something like this

#requires -Modules posh-ssh

$user = 'root'

$pswd = 'VMware1!'

$ssoDomain = 'vsphere.local'

$vcsaName = ([uri]$global:DefaultVIServer.ServiceUri).Host

$pswdSec = ConvertTo-SecureString -String $pswd -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential($User,$pswdSec)

$cmd = '/usr/lib/vmware-vmafd/bin/dir-cli group list --name $groupName --password $pswd'

$ssh = New-SSHSession -ComputerName $vcsaName -Credential $cred -AcceptKey -KeepAliveInterval 5

Get-VIAccount -Group -Domain $ssoDomain |

ForEach-Object -Process {

$groupName = $_.Id

$groupCmd = $ExecutionContext.InvokeCommand.ExpandString($cmd)

$out = Invoke-SSHCommand -SessionId $ssh.SessionId -Command $groupCmd -TimeOut 30

$out.Output.Split("`r") |

Select @{N='Group';E={$groupName}},

@{N='User';E={$_.Split(',')[0] -replace 'CN=',''}}

}

Remove-SSHSession -SessionId $ssh.SessionId | Out-Null

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

tkdreamer2 · ‎02-21-2019

Hi Luc

With the current PowerCLI version, is it possible now?

Unfortunatelly I'm running vSphere 6.0 with Windows vCenter Server...

LucD · ‎02-21-2019

I'm afraid not.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

tkdreamer2 · ‎02-22-2019

VMware has to work on it 😉
Than you

LucD · ‎02-22-2019

The basic issue is that there is no public API.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

sbeaver · ‎05-09-2019

Is there anyway to remove stale AD users from a local group? Long story short I had to rejoin an appliance to AD and discovered this...

root@server [ /opt/likewise/bin ]# /usr/lib/vmware-vmafd/bin/dir-cli group list --name 'Administrators'

Enter password for administrator@vsphere.local:

cn=Administrator,cn=Users,dc=vsphere,dc=local

CN=machine-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local

CN=vsphere-webclient-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-94424866

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-1094482

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-5099061

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-91825835

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-26371790

externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-556046

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

LucD · ‎05-09-2019

I'm afraid not (afaik).
The dir-cli command only seems to allow to add users to a group.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

sbeaver · ‎05-10-2019

I have a date with support today when I get onsite so I will get to find out a method today. Hope all with well Luc!

Cheers!

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

All

How to retrieve group membership from PowerCLI?