I am working on a Permission audit and am struggling to get the output I need. In Vcenter, under Administration, and Users and Groups, neither Users or Groups has an export option. So I have dug around and referenced:
and
And using those I have come up with this block that runs, and the Permissions, and Roles tabs are great. But I am not getting any output on the members column of the groups sheet.
Now in my environment my vSphere groups can have multiple AD users and AD Security groups from multiple domains as members. And a couple groups have a mix of AD and vsphere.local members. ( I know that is part of why I am trying to run an audit to clean it up)
What I need help with is the groups lookup. Ideally I would get a sheet called groups and it lists the Group Name "Principal", Members of the vSphere Group, Members of the AD group if listed in the vSphere group, Where all that Group has permissions "VIObject", and what level of permissions that group has in that location "Role".
And from the below block I can get most of that but I haven't figured out how to list the group members and then pass that into the AD lookup. I am getting familar with PowerCLI cmdlets, but cant seem to find the the properties I need to pull this together.
Any Help would be appreciated.
And I am using PowerCLI 12.2.0 with vSphere 6.7.
$d=get-date -Format yyyyMMdd
$reportName = "C:\VCenter_Permission_Audit-$d.xlsx"
$reporttime = [System.Diagnostics.Stopwatch]::StartNew()
Get-VIPermission | Select Principal,Role,@{n='Entity';E={$_.Entity.Name}},@{N='Entity Type';E={$_.EntityId.Split('-')[0]}},@{N='vCenter';E={$_.Uid.Split('@:')[1]}}`
| Export-Excel -Path $reportName -WorksheetName Permissions
Get-VIRole | Select Name,@{N='PrivilegeList';E={[string]::Join([char]10,$_.PrivilegeList)}} `
| Export-Excel -Path $reportName -WorksheetName Roles
Get-VIPermission | Select @{N="VIObject";E={$_.Entity.Name}},Role,Principal,
@{N="Members";E={ if($_.IsGroup){
$group = Get-ADGroup $_.Principal.Split('\')[1] -Properties Members
$names = $group.Members | %{Get-ADObject $_ | Select -ExpandProperty Name} string]::Join(',',$names)}}}`
| Export-Excel -Path $reportName -WorksheetName Groups
$reporttime.Stop()
Write-Host "This report took "$reporttime.Elapsed.Minutes"Minutes and "$reporttime.Elapsed.Seconds"Seconds to run"
I'm not sure I'm following.
You seem to be using the Principal (minus the domain) for an AD lookup.
That will not work.
If you vSphere group has members, you will need to use those members to the eventual AD lookup.
Perhaps some anonymised examples of some of these groups might clarify?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That is what I am trying to figure out how to do. But I am still trying to learn the cmdlets and the given output. But what I would like to do is get the existing group members and if the member is a security group do a AD lookup to get the security group members. And if you go to Group A under Administration / users and groups / groups you see two columns: member name and domain.
So say I have these groups
Group A Is “Windows Administrators”
Has Members:
domain\WindowsAdmins <security group
domain\username
domain2\username2
vsphere.local\username
Group B is “Linux Administrators”
Has members:
Domain\LinuxAdminis
Group c is “Administrators”
Has Members:
domain\VcenterAdmins
domain2\VcenterAdmins
domain3\VcenterAdmins
So right now the output looks like:
Principal | Members | Role | VIObject |
Vsphere.local\Administrators | blank | Admin | Datacenters |
Vsphere.local\Windows Administrators | blank | vm_admin | Datacenters / Folder |
Vsphere.local\ Linux Administrators | blank | vm_admin | Datacenters / Folder |
But the way I think it needs to look is like this:
Principal | VS Membership | AD Members | Role | VIObject |
Vsphere.local\Administrators | domain\VcenterAdmins | “members of domain\VcenterAdmins” | Admin | Datacenters |
domain2\VcenterAdmins | “members of domain2\VcenterAdmins” | Admin | Datacenters | |
domain3\VcenterAdmins | “members of domain2\VcenterAdmins” | Admin | Datacenters | |
Vsphere.local\Windows Administrators | domain\WindowsAdmins | “members of domain\WindowsAdmins” | vm_admin | Datacenters / Folderr |
domain\username | --nothing because not a AD group -- | vm_admin | Datacenters / Folder | |
domain2\username2 | --nothing because not a AD group -- | vm_admin | Datacenters / Folder | |
vsphere.local\username | --nothing because not a AD group -- | vm_admin | Datacenters / Folder | |
Vsphere.local\Linux Administrators | Domain\LinuxAdminis | “members of domain\LinuxAdminis” | vm_admin | Datacenters / Folder |
Hope this explains better.
The problem is that retrieving the members of a vSphere.local group is done through a private SSO API call.
Available through the Web Client, but unfortunately not through a public API method nor a cmdlet.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD, Thanks for the quick reply...
In a world full of STIG's and audit checks, I cant believe there isnt an easier way to get this info, so I am still trying to figure out a way forward. Would using your script from this How-to-retrieve-group-membership-from-PowerCLI allow me to get the local group names and members as step 1. And then once I have that, say saved to a csv, use a get-adgroup / get-aduser lookup as a step 2?
I got this unknown command error when I tried to test that code from the link:
Group User
----- ----
ActAsUsers Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
EMAIL_TEAM Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
AutoUpdate Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
Users Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
Window... Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
It could be caused by the account you use to connect to the VCSA.
Are you using the VCSA root account?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I am using the root account. Does it matter if I have an external psc?
Not sure.
The best way to find out is to open an SSH session to the VCSA and try the command in there.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The same error messages i had too, you need to disable the appliance shell.
Before using the script enter this on the VCSA:
chsh -s /bin/bash root
and when the script is finished this command:
chsh -s /bin/appliancesh root
The error message from the script is exact the same when you enter the command in the appliance shell...