VMware Cloud Community
GovindaG
Contributor
Contributor

invoke-script permission error

Hi, while i am trying to use the invoke script, getting permission errors.

Error:

====

Invoke-VMScript : 9/23/2011 1:01:39 PM    Invoke-VMScript        Permission to perform this operation was denied.   
At C:\Documents and Settings\gajulg\Local Settings\Temp\f37b4ac0-779c-4c24-a8db-328d1136ec70.ps1:14 char:22
+ $vm | Invoke-VMScript <<<<  -HostCredential $hc -GuestCredential $gc $ifconfig
    + CategoryInfo          : NotSpecified: (:) [Invoke-VMScript], NoPermission
    + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_RunScriptInGuest_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.InvokeVmScript

Invoke-VMScript : 9/23/2011 1:01:41 PM    Invoke-VMScript        Permission to perform this operation was denied.   
At C:\Documents and Settings\gajulg\Local Settings\Temp\f37b4ac0-779c-4c24-a8db-328d1136ec70.ps1:15 char:22
+ $vm | Invoke-VMScript <<<<  -HostCredential $hc -GuestCredential $gc $route
    + CategoryInfo          : NotSpecified: (:) [Invoke-VMScript], NoPermission
    + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_RunScriptInGuest_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.InvokeVmScript

Scrip:

$hc = Get-Credential
$gc = Get-Credential
foreach ($a in $ips){
$netmask = "255.255.255.0"
$ip1= $a.Ip1
$gw1=$a.gw1
$vmname = $a.Vmname
$vm = Get-VM $vmname
$ifconfig = "ifconfig eth0 $ip1 netmask 255.255.255.0"
$route = "route add default gw $gw1"
Write-Host $vm
$vm | Invoke-VMScript -HostCredential $hc -GuestCredential $gc $ifconfig
$vm | Invoke-VMScript -HostCredential $hc -GuestCredential $gc $route
}

Reply
0 Kudos
34 Replies
LucD
Leadership
Leadership

Try my script in Will Invoke-VMScript work ?

It will check if the prerequisites to run Invoke-VMScript are present.

Does a BAT script (-ScriptType Bat) run on the guest ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Thanks Luc. Appreicate your help. I will post the result of the script asap.

Thanks again.

Mohit Kshirsagar

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Hey Luc,

this is what i got after running your script.

PowerCLI C:\> .\TestInvokeScript.ps1

Name                           Port  User
----                           ----  ----
192.168.14.181                 443   Administrator

OK                          : True
VM                          : FP-SCC-CS01
PoweredOn                   : True
X86Engine                   : True
ToolsInstalled              : True
Port902Open                 : True
FolderReadAccess            : True
PrivilegeConsoleInteraction : True
SupportedOS                 : True

No luck yet..

thanks

Mohit Kshirsagar

Reply
0 Kudos
LucD
Leadership
Leadership

All the prereqs seem to be there.

Does the guest account you use have the required permissions to change the network settings inside the guest OS.

Can you change the NIC settings with that account inside the guest ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Hmm.. i am using the administrator user on the VM. and I am able to everything inside the  VM. Do you think this might have to do something with the VMtools???

One the first attempt i just did a plain upgrade on the VMtools.

then i uninstalled the VMtools and reinstalled a fresh one.

Nothing changed. still seeing the same error.

did anything change in regards to vSphere authentication from 4.1 to 5.0???

Thanks,

Mohit

Reply
0 Kudos
admin
Immortal
Immortal

In vSphere 5.0, the PowerCLI uses the vSphere guest operations APIs (those living under the GuestOperationsManager object in the vSphere API).

These require different privileges than VIX, as VIX had a single privilege, since all its guest commands went over a TCP connect to the VM's host, and the only privilege was whether that connection could be established.

The vSphere guest operations APIs allow for a new, more granual set of permissions.

The new permissions are:

  • VirtualMachine.GuestOperations.Query - to read state from the virtual machine
  • VirtualMachine.GuestOperations.Modify - to write data in the virtual machine
  • VirtualMachine.GuestOperations.Execute - to start or kill a process in the virtual machine

Let me know if this helps.

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Oh Ok.. So do I need to set this somewhere? I mean on the target VM? or vCenter or vSphere???

Reply
0 Kudos
admin
Immortal
Immortal

You need to add these privileges to the role your vSphere user account has for the virtual machine object in vCenter.

For instructions on how to do this through the vSphere UI, please see:

http://www.vmware.com/pdf/vsphere4/r40/vsp_40_admin_guide.pdf

For instructions for how to do this with PowerCLI, please see:

http://blogs.vmware.com/vipowershell/2010/11/managing-vsphere-permissions-with-powercli.html

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Do i need to set the permission for the user "administrator"??

Also I have been trying different things with this invoke-vmscript.

1) I used standard -hostuser -hostpassword -guestuser -guestpassword in plain text. 4 /5 times it worked on 4 out of 5 VMs.

2) I used the PS credentials and 1 /5 times on all VMs succeeded.

Now I am in a fix, i thought its a guest credential issue but it works sometimes and sometimes it doesn't.

The VMs were created in a 4.1 environment (where all this works absolutely fine) . i moved the VMs to the vSphere 5.0 environment and upgraded the VMTools and Virtual hardware. I am seeing this issue consistently on vSphere 5.0 only.

I am not able to figureout what permission is the Invoke-VMScript talking about and why intermittently.

Any idea where else can I look. Does this look like a VMTools upgrade issue???

Thanks,

Mohit Kshirsagar

Reply
0 Kudos
LucD
Leadership
Leadership

Since you're on vSphere 5, did you check if you have the privileges Matt listed in his reply ?

In vSphere 5, the required privileges are different !


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Mokshir
Enthusiast
Enthusiast

Actually I was not able to locate the exact privileges in the vCenter Server or ESXi Server. And again we are using Administrator and root on vCneter Server and ESXi Server which means we have full permision on all objects. Correct?

We noticed by using vSphere PowerCLI 4.1.1 Build 332441 we were able to use invoke-vmscript successfully repeatedly. However, with the PowerCLI 5.0.0 435426 we were able to use the command invoke-vmscript only the for the first time. Curiously, it worked once, again after a reboot of the ESXi Server. Ideas?

Please advise.

Thanks,

Mohit Kshirsagar

Reply
0 Kudos
LucD
Leadership
Leadership

You should check the permissions to see which role you have on a specific VM.

In the Role you find the privileges.

That sounds indeed strange.

Is the VM running a Windows OS ? Is there anything in the eventlogs in the OS running on the VM ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
lihlcnkr
Enthusiast
Enthusiast

Hi,

In my case, after hot adding Nic device to VM, it always permission error.

some vm, GuestOperationsManager works well, but after hot adding nic device to vm,
it always throw GuestPermissionDenied exception.

username, password are correct.

before hot adding nic device, everything work well, and after cold adding nic device, it works well too.

It's like vmware issue, my environment is:

Vcenter version is 5.0
virtual machine guest OS is windows 2008 server R2

did you have any idea?

Reply
0 Kudos
French201110141
Contributor
Contributor

Hi,

I'm exaclty in the same situation. I'm running the same vshpere environnement and the same guest OS.

I didn't find any solution for the Invoke-VMScript Smiley Sad

Nothing on google too.

Regards,

Reply
0 Kudos
LucD
Leadership
Leadership

Could it be the NIC binding and the NIC driver, after the addition of the NIC.

Perhaps you can try reinstalling the VMware Tools ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos