Automation

I am working on a Permission audit and am struggling to get the output I need. In Vcenter, under Administration, and Users and Groups, neither Users or Groups has an export option. So I have dug around and referenced:

https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Fetching-User-Group-Role-details-using-Powercli/td-p/1823101

and 

https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Script-to-display-members-of-groups/td-p/933560

And using those I have come up with this block that runs, and the Permissions, and Roles tabs are great. But I am not getting any output on the members column of the groups sheet.

Now in my environment my vSphere groups can have multiple AD users and AD Security groups from multiple domains as members. And a couple groups have a mix of AD and vsphere.local members. ( I know that is part of why I am trying to run an audit to clean it up)

What I need help with is the groups lookup. Ideally I would get a sheet called groups and it lists the Group Name "Principal", Members of the vSphere Group, Members of the AD group if listed in the vSphere group, Where all that Group has permissions "VIObject", and what level of permissions that group has in that location "Role". 

And from the below block I can get most of that but I haven't figured out how to list the group members and then pass that into the AD lookup. I am getting familar with PowerCLI cmdlets, but cant seem to find the the properties I need to pull this together.

Any Help would be appreciated. 

And I am using PowerCLI 12.2.0 with vSphere 6.7.

$d=get-date -Format yyyyMMdd

$reportName = "C:\VCenter_Permission_Audit-$d.xlsx"

$reporttime = [System.Diagnostics.Stopwatch]::StartNew()

Get-VIPermission | Select Principal,Role,@{n='Entity';E={$_.Entity.Name}},@{N='Entity Type';E={$_.EntityId.Split('-')[0]}},@{N='vCenter';E={$_.Uid.Split('@:')[1]}}`

                             | Export-Excel -Path $reportName -WorksheetName Permissions

Get-VIRole | Select Name,@{N='PrivilegeList';E={[string]::Join([char]10,$_.PrivilegeList)}} `

                   | Export-Excel -Path $reportName -WorksheetName Roles

Get-VIPermission | Select @{N="VIObject";E={$_.Entity.Name}},Role,Principal,

@{N="Members";E={ if($_.IsGroup){

$group = Get-ADGroup $_.Principal.Split('\')[1] -Properties Members

$names = $group.Members | %{Get-ADObject $_ | Select -ExpandProperty Name} string]::Join(',',$names)}}}`

| Export-Excel -Path $reportName -WorksheetName Groups

$reporttime.Stop()
Write-Host "This report took "$reporttime.Elapsed.Minutes"Minutes and "$reporttime.Elapsed.Seconds"Seconds to run"

I'm not sure I'm following.
You seem to be using the Principal (minus the domain) for an AD lookup.
That will not work.

If you vSphere group has members, you will need to use those members to the eventual AD lookup.

Perhaps some anonymised examples of some of these groups might clarify?

That is what I am trying to figure out how to do. But I am still trying to learn the cmdlets and the given output. But what I would like to do is get the existing group members and if the member is a security group do a AD lookup to get the security group members. And if you go to Group A under Administration / users and groups / groups you see two columns: member name and domain.

So say I have these groups

Group A Is “Windows Administrators”

Has Members:

domain\WindowsAdmins <security group

domain\username

domain2\username2

vsphere.local\username

Group B is “Linux Administrators”

Has members:

Domain\LinuxAdminis

Group c is “Administrators”

Has Members:

domain\VcenterAdmins

domain2\VcenterAdmins

domain3\VcenterAdmins

So right now the output looks like:

But the way I think it needs to look is like this:

Hope this explains better.

The problem is that retrieving the members of a vSphere.local group is done through a private SSO API call.
Available through the Web Client, but unfortunately not through a public API method nor a cmdlet.

LucD, Thanks for the quick reply...

In a world full of STIG's and audit checks, I cant believe there isnt an easier way to get this info, so I am still trying to figure out a way forward. Would using your script from this How-to-retrieve-group-membership-from-PowerCLI allow me to get the local group names and members as step 1. And then once I have that, say saved to a csv, use a get-adgroup / get-aduser lookup as a step 2?

I got this unknown command error when I tried to test that code from the link:

It could be caused by the account you use to connect to the VCSA.
Are you using the VCSA root account?

I am using the root account. Does it matter if I have an external psc?

Not sure.
The best way to find out is to open an SSH session to the VCSA and try the command in there.

The same error messages i had too, you need to disable the appliance shell.

Before using the script enter this on the VCSA:

chsh -s /bin/bash root

and when the script is finished this command:

chsh -s /bin/appliancesh root

The error message from the script is exact the same when you enter the command in the appliance shell...