I've made a script for setting the permissions on our ESX hosts.
The goal is to set the permissions on the host itself. The same permissions as when connecting directly with the vsphere client to the host.
The problem is that after running the script the permissions are not set on hostlevel. They are only vissible when connecting to the virtual center server.
This is my script:
#$esxCred = Get-Credential
$vcServer = read-host "Virtual center server: "
$vcServer = $vcServer.Trim();
$cluster = read-host "Clustername "
$cluster = $cluster.Trim()
write-output "Credentials for ESX hosts "
$esxcred = get-credential#Connect to vCenter
Connect-VIServer $vcServer | Out-Null#Connect to ESX hosts in cluster
foreach ($esx in Get-Cluster $cluster | Get-VMHost) {
write-output $esx
Connect-VIServer $esx -Credential $esxCred | Out-Null
New-VIPermission -Entity $esx -Principal '<DOMAINNAME>\ESX Admins' -Role NoAccess
}#Disconnect from vCenter
Disconnect-VIServer $vcServer -Confirm:$false | Out-Null
Does anyone know why the permissions aren't set on hostlevel?
When I execute the New-VIPermission when connecting to the esx hosts it works well...:smileyconfused:
Hi,
In order to make it work you should replace:
New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
With:
New-VIPermission -Entity $esx.Name -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
It's not good to work with objects, retrieved from one connection and use them directly, in context of another connection (relaying that something like ToString() + OBN will happen).
Regards,
Pavel
Try using the -Server parameter on the New-VIPermission cmdlet.
Something like this
#$esxCred = Get-Credential
$vcServer = read-host "Virtual center server: "
$vcServer = $vcServer.Trim(); $cluster = read-host "Clustername "
$cluster = $cluster.Trim() write-output "Credentials for ESX hosts "
$esxcred = get-credential
#Connect to vCenter
Connect-VIServer $vcServer | Out-Null #Connect to ESX hosts in cluster
foreach ($esx in Get-Cluster $cluster | Get-VMHost) { write-output $esx
$esxConnect = Connect-VIServer $esx -Credential $esxCred
New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
Disconnect-VIServer $esxConnect
} #Disconnect from vCenter
Disconnect-VIServer $vcServer -Confirm:$false | Out-Null
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
In order to make it work you should replace:
New-VIPermission -Entity $esx -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
With:
New-VIPermission -Entity $esx.Name -Principal 'BUSINESS\ESX Admins' -Role NoAccess -Server $esxConnect
It's not good to work with objects, retrieved from one connection and use them directly, in context of another connection (relaying that something like ToString() + OBN will happen).
Regards,
Pavel
Didn't know that one, is that because of the Uid in the object ?
So if you switch vSphere server connections, always use the OBN.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
What I meant was that first Swinkel retreives all VMHosts from a cluster and then if he tries to use those VMHosts for setting permisson in the context of new connection (directly to the specified ESX) it won't work.
Passing a VMhost object (which carries itself the connection from where its being retreived) to a call, where another server is specified is wrong, while passing its name is OK, as OBN will work (and the name of the VM host retreived from a VC will match the name of the same host, retreived from direct ESX connection)
Thanks for the correct answer and the explanation!
I've modified the script and now it works.
I'm sure I never forget this connection thing anymore... I've wasted many time on this script.