For every host in my vCenter inventory, I would like to create a new user "ops" and assign it with the role of "administrator". Effectively, I want to create an administrative alternative to the root account.
Is this possible with PowerCLI? Hosts are all ESXi 5.1
You can assign the "admin" role to the newly created account like this
foreach($esx in Get-VMHost){
Connect-VIServer -Server $esx -Credential $cred
$account = New-VMHostAccount -Id newaccount -Password password -UserAccount -GrantShellAccess
New-VIPermission -Entity $esx -Principal $account -Role admin
Disconnect-VIServer -Server $esx
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You need to be connected to an ESXi host to be able to create an account.
Start the script while connected to a vCenter, this will get all your ESXi server.
foreach($esx in Get-VMHost){
Connect-VIServer -Server $esx -Credential $cred
New-VMHostAccount -Id newaccount -Password password -UserAccount -GrantShellAccess
Disconnect-VIServer -Server $esx
}
The $cred variable shall contain a PSCredential object that holds a root account for that ESXi server
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
What actually grants the new user the local role of "administrator" ?
You can assign the "admin" role to the newly created account like this
foreach($esx in Get-VMHost){
Connect-VIServer -Server $esx -Credential $cred
$account = New-VMHostAccount -Id newaccount -Password password -UserAccount -GrantShellAccess
New-VIPermission -Entity $esx -Principal $account -Role admin
Disconnect-VIServer -Server $esx
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
When i modify this script to run against a single host (ie. set the $esx variable to a single host and eliminate the for loop) it works fine...
When I run it against my vCenter, with the for loop... I get several errors:
New-VIPermission : 11/14/2013 4:51:55 PM New-VIPermission One or
more objects are specified by name. There is no server list explicitly
specified, so an attempt was made to determine a single server by the managed
objects passed to the cmdlet as arguments. However the arguments come from
more than one server which makes it impossible to unambiguously select single
server.
+ New-VIPermission -Entity $esx -Principal $account -Role admin
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (System.Collecti...1.VIConnection
]:List`1) [New-VIPermission], ViServerConnectionException
+ FullyQualifiedErrorId : Core_ObnSelector_GetClientListFromCmdletParamete
rs_AmbiguousServer,VMware.VimAutomation.ViCore.Cmdlets.Commands.Permission
Management.NewVIPermission
New-VIPermission : 11/14/2013 4:51:56 PM New-VIPermission Value
cannot be found for the mandatory parameter Role
Disconnect-VIServer : Cannot bind parameter 'Server'. Cannot convert the
"was my server name" value of type
"VMware.VimAutomation.ViCore.Impl.V1.Inventory.VMHostImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.VIServer".
Here is the quick sample of what I am doing:
connect-viserver myserver
foreach($esx in Get-VMHost){
Connect-VIServer -Server $esx -User root -Password mypw
$account = New-VMHostAccount -Id userhere -Password pwhere -UserAccount -GrantShellAccess
New-VIPermission -Entity $esx -Principal $account -Role admin
Disconnect-VIServer -Server $esx
}
Are you perhaps running in Multiple mode ?
Check with
Get-PowerCLIConfiguration
PS: there was a typo in the code, it said $esxc instead of $esx in some lines.
I corrected that.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hey Luc,
Yeah, I had caught the esx vs esxc thing, no worries.
I was set for multiple default servers, but a change to single produces the same errors.
Try adding the Server parameter. Like this
Connect-VIServer myserver
foreach($esx in Get-VMHost){
$srv = Connect-VIServer -Server $esx -User root -Password mypw
$account = New-VMHostAccount -Id userhere -Password pwhere -UserAccount -GrantShellAccess -Server $srv
New-VIPermission -Entity $esx -Principal $account -Role admin -Server $srv
Disconnect-VIServer -Server $srv -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
OK I tried this, but got a new error... "The specified role is from a different server".
Then I modified the line "New-VIpermission -Entity $esx" to be "-Entity $srv" and got the same error I was getting previously.
Thanks for your help, I'll keep troubleshooting.
FWIW - the account gets created fine... the issues are all with assigning the role.
Hey Luc, Any other ideas? I am completely stuck