Hi Luc,

Thanks for your replu Luc.

I am using ESXi 5.0. I am successfully able to create a new account using the above script. But this account is added to "users" default group. I want a new group created named "admin" and provide this account access to esxi through vsphere client and basic SSH access. Can this be done?

I see, then you would first need to test if the group "Admin" exists, and if not create it (following the same Try-Catch logic as for the user).

With the New-VMHostAccount you cam also create a group, by using the GroupAccount switch.

Let me know if you need some help in adapting the script that way ?

Hi Luc,

In some hosts I am able to see admin group in some am not. Please help me in adapting the try-catch logic and provide the script.

Thank you so much for the help.

regards,

Mellvin

Try something like this

$groupName = "group"
$accountName = "user"
$accountPswd = "password"
$accountDescription = "A user"

$esxlist = Get-VMHost
foreach($esx in $esxlist){
    Connect-VIServer -Server $esx -User root -Password "password"

    Try {
      Get-VMHostAccount -Id $groupName -Group -ErrorAction Stop | Out-Null
    }
    Catch {
      New-VMHostAccount -Id $groupName -GroupAccount | Out-Null
    }

    $rootFolder = Get-Folder -Name ha-folder-root
    Try{
        Get-VMHostAccount -Id $accountName -ErrorAction Stop |
        Set-VMHostAccount -Password $accountPswd -Description $accountDescription -AssignGroups $groupName | Out-Null
    }
    Catch{
        New-VMHostAccount -Id $accountName -Password $accountPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGroups $groupName | Out-Null
    }
    Disconnect-VIServer -Confirm:$false
}

Hi Luc,

sorry for the wrong thread. Script is not able to add administrator role to the group created. getting the following error

New-VIPermission : Cannot validate argument on parameter 'Principal'. The argum

ent is null or empty. Supply an argument that is not null or empty and then try

the command again.

At C:\users\ramchi\desktop\create.ps1:27 char:52

+     New-VIPermission -Entity $rootFolder -Principal <<<<  $account -Role admi

n

    + CategoryInfo          : InvalidData: (:) [New-VIPermission], ParameterBi

   ndingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom

   ation.ViCore.Cmdlets.Commands.PermissionManagement.NewVIPermission

Disconnect-VIServer : 2/12/2014 6:49:31 AM    Disconnect-VIServer        PowerC

LI is currently connected to more than one servers. Specify which server you wa

nt to disconnect or use the "*" wildcard to disconnect all.

The error seems to indicate that the $account variable is empty.

Did the account already exist on that ESXi ?

If not, was the account (and group) created ?

Can you eventually do a test with a single ESXi, where you could test the different configurations

• group & account do not exist
• group exists & account does not exist
• group doesn't exist & account exists
• group & account exist

I deleted the already created account and ran this script. Account is getting created and also the new group. Account is added to the group. But permissions to add the account/group to administrator role is not getting created

my account name is not coming up here

Did you do a refresh on that page ?

Yes I did. No luck. How do I run this to a particular host. actually i am running in a test environment to check the script, where my root password will work only on one host and remaining hosts have diff root password.

Change this line

$esxlist = Get-VMHost

to

$esxlist = Get-VMHost -Name MyEsx

Finally, It is working on that ESX host now. Thanks a lot for your effort on this. I am always your powercli Fan.

Will it work on my production vcenter? I hope those errors were due to bad root password attempts in other esx hosts.

Regards,

Raj Mellvin

and I think principal entity is getting more than one value if we run in that loop and was not able to add to admin role

Hi Luc,

When I give $esxlist = Get-VMHost -Name MyEsx it is working. But not working with $esxlist = Get-VMHost. Think looping problem it says not connected to esx host.

Error

Connect-VIServer : 2/14/2014 9:18:45 AM    Connect-VIServer        Cannot compl

ete login due to an incorrect user name or password.

At C:\users\ramchi\desktop\create.ps1:8 char:21

+     Connect-VIServer <<<<  -Server $esx -User root -Password "XXX"

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], InvalidLog

   in

    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_Excep

   tion,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

New-VMHostAccount : 2/14/2014 9:18:45 AM    New-VMHostAccount        Local grou

p accounts are not supported since ESX version 5.1

At C:\users\ramchi\desktop\create.ps1:14 char:24

+       New-VMHostAccount <<<<  -Id $groupName -GroupAccount | Out-Null

    + CategoryInfo          : InvalidOperation: (:) [New-VMHostAccount], VimEx

   ception

    + FullyQualifiedErrorId : Client20_SystemManagementServiceImpl_TryValidate

   EsxVersionSupportsGroups_Failed,VMware.VimAutomation.ViCore.Cmdlets.Comman

  ds.Host.NewVMHostAccount

Get-Folder : 2/14/2014 9:18:45 AM    Get-Folder        Folder with name 'ha-fol

der-root' was not found using the specified filter(s).

At C:\users\ramchi\desktop\create.ps1:17 char:29

+     $rootFolder = Get-Folder <<<<  -Name ha-folder-root

    + CategoryInfo          : ObjectNotFound: (:) [Get-Folder], VimException

    + FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimA

   utomation.ViCore.Cmdlets.Commands.GetFolder

New-VMHostAccount : 2/14/2014 9:18:45 AM    New-VMHostAccount        Local grou

p accounts are not supported since ESX version 5.1

At C:\users\ramchi\desktop\create.ps1:23 char:37

+         $account = New-VMHostAccount <<<<  -Id $accountName -Password $accoun

tPswd -Description $accountDescription -UserAccount -GrantShellAccess -AssignGr

oups $groupName

    + CategoryInfo          : InvalidOperation: (:) [New-VMHostAccount], VimEx

   ception

    + FullyQualifiedErrorId : Client20_SystemManagementServiceImpl_TryValidate

   EsxVersionSupportsGroups_Failed,VMware.VimAutomation.ViCore.Cmdlets.Comman

  ds.Host.NewVMHostAccount

Get-Folder : 2/14/2014 9:18:45 AM    Get-Folder        Folder with name 'ha-fol

der-root' was not found using the specified filter(s).

At C:\users\ramchi\desktop\create.ps1:26 char:29

+     $rootFolder = Get-Folder <<<<  -Name ha-folder-root

    + CategoryInfo          : ObjectNotFound: (:) [Get-Folder], VimException

    + FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimA

   utomation.ViCore.Cmdlets.Commands.GetFolder

New-VIPermission : Cannot validate argument on parameter 'Entity'. The argument

on the first line is saying authentication issue. Try with correct username and password

Connect-VIServer : 2/14/2014 9:18:45 AM    Connect-VIServer        Cannot compl

ete login due to an incorrect user name or password.

At C:\users\ramchi\desktop\create.ps1:8 char:21

+     Connect-VIServer <<<<  -Server $esx -User root -Password "XXX"

    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], InvalidLog

   in

    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_Excep

   tion,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer

I suspect the root password is not correct on some of the ESXi servers.

You are right Luc. Some of the esx hosts have different esx root passwords.

It is working in 5.0. But 5.1 is not supporting adding groups to permissions. So need to add only accounts to permissions.