Highlighted
Enthusiast
Enthusiast

Root password change

I have about 50 esx servers I need to change the root and one other additional local user password (lets say vmuser) pwds. This would save me tons of time if this could be automated with powershell. Does anyone know if this can be done? Thanks for your time

Jason

Jason @jrob24
0 Kudos
29 Replies
Highlighted
User Moderator
User Moderator

There has been some discussions on adding ESX host accounts recently (see ).

In that thread a problem with the CreateUser method and the shell field in the passwd file came to light.

To solve it the HostPosixAccountSpec object needs to be used.

For your question, this script should do what you require

Connect-VIServer -Server <VC-server>

$rootpswd = <root-password>

$accspec1 = New-Object VMware.Vim.HostPosixAccountSpec
$accspec1.id = "root"
$accspec1.password = <new-root-password>
$accspec1.shellAccess = "/bin/bash"

$accspec2 = New-Object VMware.Vim.HostPosixAccountSpec
$accspec2.id = "vmuser"
$accspec2.password = <new-vmuser-password>
$accspec2.shellAccess = "/bin/bash"

Get-VMHost | %{
  Connect-VIServer $_.Name -User root -Password $rootpswd
  $si = Get-View ServiceInstance
  $acctMgr = Get-View -Id $si.content.accountManager

  $acctMgr.UpdateUser($accspec1)
  $acctMgr.UpdateUser($accspec2)
}

You didn't state if these 50 ESX servers are all your ESX servers.

If not, the Get-VMHost will have to be replaced by something else.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Hi LucD,

I tried to use your script but get below error, could you please suggest?

You cannot call a method on a null-valued expression.

At line 9, position 73

$acctMgr = Get-View -Id $si.content.accountManager $acctMgr.UpdateUser($accspec1)

Thanks

0 Kudos
Highlighted
User Moderator
User Moderator

Apparently the forum SW dropped some line feeds while you copied the script.

Try the attached version.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Hi,

I could get rid-off the null valued expression error below but now getting below even though the password got changed successfully. Any idea what this is related to ?

A parameter cannot be found that matches parameter name ''.

At line 9, position 20

$acctMgr = Get-View -Id $si.content.accountManager $acctMgr.UpdateUser($accspec1)

Thanks

0 Kudos
Highlighted
Contributor
Contributor

sorry spoke too early Smiley Sad I saw your latest response and the script actually worked wihtout any errors. When i viewed the code i couldn't really find anything changed except for the formatting. Do you mean that could create the difference in errors i was getting?

0 Kudos
Highlighted
User Moderator
User Moderator

Yes, the line in the message should in fact be 2 lines.

The forum SW, depending on the browser you're using, seems to have this strange behavior.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Cool..how do i secure the password i am typing?. I tried the steps suggested in few forums but couldn't succed. Actually get-credential worked but not sure how to assign it to $accspec1.password variable..any idea?

0 Kudos
Highlighted
Contributor
Contributor

I got it...below is the simple code.

$newpswd= Get-Credential root

$accspec1 = New-Object VMware.Vim.HostPosixAccountSpec

$accspec1.Id ="root"

$accspec1.Password = $newrootpswd.GetNetworkCredential().Password

0 Kudos
Highlighted
Contributor
Contributor

Hi

I have been using this script to change root password on multiple hosts. There is one problem, if there is an issue with any 1 host, the script terminates. I end up with only half the servers done and since the current root password becomes mismatched, I cannot run this anymore.

Is there a way to add error-check or something so the script skips any problem hosts and moves on changing the rest of the hosts? help appreciated

0 Kudos
Highlighted
User Moderator
User Moderator

What is the type of error you get when the script fails on a host ?

Could you perhaps include the error message and the script you're actually using ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Script I am using is attached.

the script works perfectly fine if I have multiple hosts that have exact old password and am changing to new one.

Problem is when it is running through the 1...50 hosts and hiccups on say #33 because someone had changed the password to anything else other than what is listed as current root password in the above script. The script then fails with bad password on that host and does not continue to the rest of 34-50 hosts either. I want to be able to mark the one with the problem but still move ahead changing the pwd on rest of them.

Maybe before the script runs we could check password age on all hosts and make sure it is same? I am not sure how to do this.

0 Kudos
Highlighted
User Moderator
User Moderator

You can use the ErrorAction parameter to continue when a Connect-VIServer fails.

At the end the script dumps all errors so you can see on which hosts it failed.

$errReport =@()
$rootpswd = <root-password>

$accspec1 = New-Object VMware.Vim.HostPosixAccountSpec
$accspec1.id = <account>
$accspec1.password = <new-password>
$accspec1.shellAccess = "/bin/bash"

Get-VMHost | % {
	Connect-VIServer $_.Name -User root -Password $rootpswd -ErrorAction SilentlyContinue -ErrorVariable err
	$errReport += $err
	if($err.Count -eq 0){
	  $si = Get-View ServiceInstance
	  $acctMgr = Get-View -Id $si.content.accountManager 

	  $acctMgr.UpdateUser($accspec1)
	}

	$errReport += $err
	$err = ""
}

$errReport


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Enthusiast
Enthusiast

This can also be done with Koen Warsons ESX tasks

http://www.svmotion.com/

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points
0 Kudos
Highlighted
Contributor
Contributor

yes, this works. thanks so much.

will also checkout the svmotion script. thanks again

0 Kudos
Highlighted
Contributor
Contributor

I get an error when I try to run this script, this is the same for both the useraccount and the root account

Get-View : The argument cannot be null or empty.

At changepwd.ps1:18 char:26

+ $acctMgr = Get-View -Id <<<< $si.content.accountManager

You cannot call a method on a null-valued expression.

At changepwd.ps1:20 char:22

+ $acctMgr.UpdateUser( <<<< $accspec1)

You cannot call a method on a null-valued expression.

At changepwd.ps1:21 char:22

+ $acctMgr.UpdateUser( <<<< $accspec2)

Help please!

I've recently upgraded to the new VIToolkit, could this be the problem, has the syntax changed?

Thanks,

Roger.

0 Kudos
Highlighted
Expert
Expert

what do we do if the ESXi host has lockdown mode enabled ?

I tried conencting to VC and then use Get-VMHostAccount, it fails.

Connect-VIServer vcserver

$h = get-VMHost myESXi

Get-VMHostAccount -server $h.moref

error: Operation not supported

0 Kudos
Highlighted
User Moderator
User Moderator

If security permits, you could use the Set-TkeVMHostLockdown function (Community extensions) to temporarily remove the lockdown mode.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

I have a Problem, that i cannot add one esx host to one cluster. The root Pw dont work.

I cannot shutdown the machine, while there are many vms running and i dont become an Maintance window for that.

Is there a way to change the root Pw without knowing the old one??

I know that is unsecure.

pls Help

0 Kudos
Highlighted
User Moderator
User Moderator

Afaik, not without rebooting the ESX server Smiley Sad

But can't you vMotion the VMs to another ESX server and then perform the reboot ?

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos