VMware Cloud Community
RThornburg
Contributor
Contributor
‎02-12-2021 07:53 AM

Permission Audit of Vcenter Groups and Members

I am working on a Permission audit and am struggling to get the output I need. In Vcenter, under Administration, and Users and Groups, neither Users or Groups has an export option. So I have dug around and referenced:

https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Fetching-User-Group-Role-details-using...

and 

https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Script-to-display-members-of-groups/td...

And using those I have come up with this block that runs, and the Permissions, and Roles tabs are great. But I am not getting any output on the members column of the groups sheet.

Now in my environment my vSphere groups can have multiple AD users and AD Security groups from multiple domains as members. And a couple groups have a mix of AD and vsphere.local members. ( I know that is part of why I am trying to run an audit to clean it up)

What I need help with is the groups lookup. Ideally I would get a sheet called groups and it lists the Group Name "Principal", Members of the vSphere Group, Members of the AD group if listed in the vSphere group, Where all that Group has permissions "VIObject", and what level of permissions that group has in that location "Role". 

And from the below block I can get most of that but I haven't figured out how to list the group members and then pass that into the AD lookup. I am getting familar with PowerCLI cmdlets, but cant seem to find the the properties I need to pull this together.

Any Help would be appreciated. 

And I am using PowerCLI 12.2.0 with vSphere 6.7.

$d=get-date -Format yyyyMMdd

$reportName = "C:\VCenter_Permission_Audit-$d.xlsx"

$reporttime = [System.Diagnostics.Stopwatch]::StartNew()

Get-VIPermission | Select Principal,Role,@{n='Entity';E={$_.Entity.Name}},@{N='Entity Type';E={$_.EntityId.Split('-')[0]}},@{N='vCenter';E={$_.Uid.Split('@:')[1]}}`

                             | Export-Excel -Path $reportName -WorksheetName Permissions

Get-VIRole | Select Name,@{N='PrivilegeList';E={[string]::Join([char]10,$_.PrivilegeList)}} `

                   | Export-Excel -Path $reportName -WorksheetName Roles

Get-VIPermission | Select @{N="VIObject";E={$_.Entity.Name}},Role,Principal,

@{N="Members";E={ if($_.IsGroup){

$group = Get-ADGroup $_.Principal.Split('\')[1] -Properties Members

$names = $group.Members | %{Get-ADObject $_ | Select -ExpandProperty Name} string]::Join(',',$names)}}}`

| Export-Excel -Path $reportName -WorksheetName Groups

$reporttime.Stop()
Write-Host "This report took "$reporttime.Elapsed.Minutes"Minutes and "$reporttime.Elapsed.Seconds"Seconds to run"

 

Labels (6)
Reply
0 Kudos
8 Replies
LucD
Leadership
Leadership
‎02-12-2021 10:02 AM

I'm not sure I'm following.
You seem to be using the Principal (minus the domain) for an AD lookup.
That will not work.

If you vSphere group has members, you will need to use those members to the eventual AD lookup.

Perhaps some anonymised examples of some of these groups might clarify?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
RThornburg
Contributor
Contributor
‎02-12-2021 01:25 PM

That is what I am trying to figure out how to do. But I am still trying to learn the cmdlets and the given output. But what I would like to do is get the existing group members and if the member is a security group do a AD lookup to get the security group members. And if you go to Group A under Administration / users and groups / groups you see two columns: member name and domain.

So say I have these groups

Group A Is “Windows Administrators”

Has Members:

domain\WindowsAdmins <security group

domain\username

domain2\username2

vsphere.local\username

 

Group B is “Linux Administrators”

Has members:

Domain\LinuxAdminis

 

Group c is “Administrators”

Has Members:

domain\VcenterAdmins

domain2\VcenterAdmins

domain3\VcenterAdmins

 

So right now the output looks like:

Principal Members RoleVIObject
Vsphere.local\Administratorsblank Admin Datacenters
Vsphere.local\Windows Administrators blank vm_admin Datacenters / Folder
Vsphere.local\ Linux Administrators blank vm_admin Datacenters / Folder

 

But the way I think it needs to look is like this:

PrincipalVS MembershipAD Members Role VIObject
Vsphere.local\Administrators domain\VcenterAdmins“members of domain\VcenterAdmins”AdminDatacenters
 domain2\VcenterAdmins“members of domain2\VcenterAdmins”AdminDatacenters
 domain3\VcenterAdmins“members of domain2\VcenterAdmins”AdminDatacenters
Vsphere.local\Windows Administratorsdomain\WindowsAdmins “members of domain\WindowsAdmins” vm_admin

Datacenters / Folderr

 domain\username --nothing because not a AD group -- vm_adminDatacenters / Folder
 domain2\username2 --nothing because not a AD group -- vm_adminDatacenters / Folder
 vsphere.local\username --nothing because not a AD group -- vm_adminDatacenters / Folder
Vsphere.local\Linux AdministratorsDomain\LinuxAdminis“members of domain\LinuxAdminis”  vm_adminDatacenters / Folder
     
     

 

Hope this explains better.

Reply
0 Kudos
LucD
Leadership
Leadership
‎02-12-2021 02:27 PM

The problem is that retrieving the members of a vSphere.local group is done through a private SSO API call.
Available through the Web Client, but unfortunately not through a public API method nor a cmdlet.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
RThornburg
Contributor
Contributor
‎02-17-2021 03:53 PM

LucD, Thanks for the quick reply...

In a world full of STIG's and audit checks, I cant believe there isnt an easier way to get this info, so I am still trying to figure out a way forward. Would using your script from this How-to-retrieve-group-membership-from-PowerCLI allow me to get the local group names and members as step 1. And then once I have that, say saved to a csv, use a get-adgroup / get-aduser lookup as a step 2?

I got this unknown command error when I tried to test that code from the link:

Group      User                                                
-----      ----                                                
ActAsUsers Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
EMAIL_TEAM Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
AutoUpdate Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
Users      Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
Window...  Unknown command: `/usr/lib/vmware-vmafd/bin/dir-cli'
Reply
0 Kudos
LucD
Leadership
Leadership
‎02-17-2021 11:19 PM

It could be caused by the account you use to connect to the VCSA.
Are you using the VCSA root account?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
RThornburg
Contributor
Contributor
‎03-02-2021 04:22 PM

I am using the root account. Does it matter if I have an external psc?

Reply
0 Kudos
LucD
Leadership
Leadership
‎03-03-2021 12:05 AM

Not sure.
The best way to find out is to open an SSH session to the VCSA and try the command in there.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Raudi
Expert
Expert
‎11-22-2023 04:34 AM

The same error messages i had too, you need to disable the appliance shell.

Before using the script enter this on the VCSA:

chsh -s /bin/bash root

and when the script is finished this command:

chsh -s /bin/appliancesh root

The error message from the script is exact the same when you enter the command in the appliance shell...

Reply
0 Kudos