anybody got a powershell handy to remove "ESX Admins" group/permissions from esxi hosts?
I have moved this to a more appropriate forum -
You can use as below. it remove "ESX Admins" group from advanced setting and make it to null.
Get-VMHost "esxihost" | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -value "" -Confirm:$false
I would suggest to follow KB1025569.
You can implement the 2nd bullet in the resolution of that KB like this
$domain = "DomainName"
Get-VIPermission | where {$_.Principal -match $domain} |
Set-VIPermission -Role NoAccess -Propagate:$true
Note1: you need to be connected to the ESXi for this (not the vCenter).
Note2: replace "DomainName" with the name of your AD domain. The short NetBIOS name should be good, but you can check that by doing a Get-VIPermission first, and check the Principal entry.
Note3: if you have other domain principals in the permissions on your ESXi server, you will need to fine-tune the Match string
An alternative is to disable the functionality (as Andreas described in Undocumented parameters for ESXi 5.0 Active Directory integration).
But that will only have an effect when you "join" the ESXi to the AD domain, it will not change the permissions when the ESXi is already joined.
$name = "Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd"
Get-VMHost "esxihost" | Get-AdvancedSetting -Name $name |
Set-AdvancedSetting -value $false -Confirm:$false
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
