VMware Cloud Community
swinkel
Contributor
Contributor
‎03-15-2011 06:48 AM
Jump to solution

Setting permission on a standalone host failed with the script I made

I've made a script for setting the permissions on our ESX hosts.

The goal is to set the permissions on the host itself. The same permissions as when connecting directly with the vsphere client to the host.

The problem is that after running the script the permissions are not set on hostlevel. They are only vissible when connecting to the virtual center server.

This is my script:

#$esxCred = Get-Credential
$vcServer = read-host "Virtual center server: "
$vcServer =  $vcServer.Trim();
$cluster = read-host "Clustername "
$cluster = $cluster.Trim()
write-output "Credentials for ESX hosts "
$esxcred = get-credential
#Connect to vCenter
Connect-VIServer $vcServer | Out-Null
#Connect to ESX hosts in cluster
foreach ($esx in Get-Cluster $cluster | Get-VMHost) {
 write-output $esx
 Connect-VIServer $esx -Credential $esxCred | Out-Null
 New-VIPermission -Entity $esx -Principal '<DOMAINNAME>\ESX Admins' -Role NoAccess
 }
#Disconnect from vCenter
Disconnect-VIServer $vcServer -Confirm:$false | Out-Null


Does anyone know why the permissions aren't set on hostlevel?

When I execute the New-VIPermission when connecting to the esx hosts it works well...:smileyconfused:

0 Kudos
1 Solution

Accepted Solutions
Pavel_Dimitrov
VMware Employee
VMware Employee
‎03-15-2011 07:32 AM
Jump to solution

Hi,

In order to make it work you should replace:

New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect

With:

New-VIPermission -Entity $esx.Name -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect

It's not good to work with objects, retrieved from one connection and use them directly, in context of another connection (relaying that something like ToString() + OBN will happen).

Regards,

Pavel

View solution in original post

0 Kudos
5 Replies
LucD
Leadership
Leadership
‎03-15-2011 07:09 AM
Jump to solution

Try using the -Server parameter on the New-VIPermission cmdlet.

Something like this

#$esxCred = Get-Credential 
$vcServer = read-host "Virtual center server: " 
$vcServer =  $vcServer.Trim();
$cluster = read-host "Clustername " 
$cluster = $cluster.Trim()
write-output "Credentials for ESX hosts " 
$esxcred = get-credential

#Connect to vCenter
Connect-VIServer $vcServer | Out-Null
#Connect to ESX hosts in cluster
foreach ($esx in Get-Cluster $cluster | Get-VMHost) {
 write-output $esx
 $esxConnect = Connect-VIServer $esx -Credential $esxCred
 New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
 Disconnect-VIServer $esxConnect
}

#Disconnect from vCenter
Disconnect-VIServer $vcServer -Confirm:$false | Out-Null


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Pavel_Dimitrov
VMware Employee
VMware Employee
‎03-15-2011 07:32 AM
Jump to solution

Hi,

In order to make it work you should replace:

New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect

With:

New-VIPermission -Entity $esx.Name -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect

It's not good to work with objects, retrieved from one connection and use them directly, in context of another connection (relaying that something like ToString() + OBN will happen).

Regards,

Pavel

0 Kudos
LucD
Leadership
Leadership
‎03-15-2011 07:38 AM
Jump to solution

Didn't know that one, is that because of the Uid in the object ?

So if you switch vSphere server connections, always use the OBN.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Pavel_Dimitrov
VMware Employee
VMware Employee
‎03-15-2011 07:52 AM
Jump to solution

What I meant was that first Swinkel retreives all VMHosts from a cluster and then if he tries to use those VMHosts for setting permisson in the context of new connection (directly to the specified ESX) it won't work.

Passing a VMhost object (which carries itself the connection from where its being retreived) to a call, where another server is specified is wrong, while passing its name is OK, as OBN will work (and the name of the VM host retreived from a VC will match the name of the same host, retreived from direct ESX connection)

swinkel
Contributor
Contributor
‎03-15-2011 08:15 AM
Jump to solution

Thanks for the correct answer and the explanation!

I've modified the script and now it works.

I'm sure I never forget this connection thing anymore... I've wasted many time on this script.Smiley Happy

0 Kudos