VMware Cloud Community

PowerCLI - Create new users in vsphere.local?

Google isn't helping.  Search didn't pull anything up on here.  Is it possible?

I have a vCenter that has some local SSO users.  They are assigned Read Only roles on random objects,  datacenter, cluster, VM folder... etc.

I was able to export the users.

Example :

Entity    : MyCluster8

EntityType : ClusterComputeResource

Group      : False

Principal  : VSPHERE.LOCAL\Cluster8user

Propagate  : True

Role      : VirtualMachinePowerUser

But importing on a new vCenter isn't working without first creating the user.

If I manually create the user via WebClient, I can use the new-vipermission function to assign then user where it needs to be...

new-vipermission -role $a.role -entity $a.entity -Principal $a.Principal -propagate ([boolean]$a.propagate)

Please help me find a way to create these users in a powershell window!

Thoughts, comments?

0 Kudos
2 Replies

Afaik there is no public API to create accounts in vsphere.local.

But I'm wondering why you would need to do that.

I would add an identity source, for example AD, and then use the accounts from that identity source to assign permissions.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


I have a complete vCenter to vCenter backup/migration script working.

We take nightly "object" backups of vcenter.  If at any time vCenter were to die, I can run the restore script and it will fully recreate our vCenter with no downtime to workloads.

The only thing that wont restore are the vsphere.local accounts.

The current process is to manually create the users then let the restore continue to assign the users to the correct objects, and roles.

We do use Active Directory and the accounts and groups restore fine.

Use case for the vsphere.local account:

We have a few read only accounts and a few admin accounts created under vsphere.local for third party tools and automation.

Example : Pernix wants an admin account.  Our object backups only need a read only account.  We allow other teams to create their own DRS rules via an web app we created.  This app has a local user that only has access to create DRS rules, nothing else.

I understand that most businesses will create a service account in AD but the process takes too long for a simple Proof of concept install or for something simple as a read only user to open a VM console.

I know any futures are NDA but if anyone knows that this may be possible in the future please let me know.

It will sit on the to-do list until then...

Thank you for your time sir!

Nicholas Farmer

0 Kudos