Hi
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool
this is the syntax I would use to give the role SpecialAdmin to special.tech security group in mydomain, to the resource pool, exchange_pool.
It so happens that after years of building the vsphere environment, there are pool names and portgroup names that are the same. Its not impossible that different types of objects could have the same name. So for example if I have a portgroup called exchange_pool and a resource pool called exchange_pool ..
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool .... will add the permission to the resource pool and not touch the portgroup.
I don't want to change hundreds of portgroup names. So How can I specify that I mean to target the portgroup, or a folder for that matter, or a VM.
Something like
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type VDPortgroup exchange_pool
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type Resource-Pool exchange_pool
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type Folder exchange_pool.
A shot in the dark.
thanks
I think you meant
$exchangePool = Get-ResourcePool resource_pool ... instead of ... $exchangePool = Get-ResourcePool exchange_pool.
I took "exchange_pool" from your example, assuming the name of the pool was "exchange_pool".
Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.
If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.
I'm not able to reproduce the behavior you're seeing. In my environment I have 2 resource pools named "ESX Agents" and one dvPortGroup named "ESX Agents"
I do
$resourcePool = Get-ResourcePool "ESX Agents"
$pGroup = Get-VDPortGroup "ESX Agents"
Then run one of each with the different entity types:
PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $resourcePool
WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.
WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.
Role Principal Propagate IsGroup
---- --------- --------- -------
Admin LAB\tuser1 True False
Admin LAB\tuser1 True False
PowerCLI C:\> $pgroup = Get-VDPortGroup "ESX Agents"
PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $pgroup
WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.
WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.
Role Principal Propagate IsGroup
---- --------- --------- -------
Admin LAB\tuser1 True False
I know the first one only affects Resource Pools because I check the dvPortGroup after running the first command and it doesn't add the permission. I run the second one, refresh on permissions tab of the dvPortGroup again and this time it appears.
In your script, before the new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool line, add this:
$exchangePool = Get-ResourcePool exchange_pool
then change the line to:
new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity $resourcePool
This will go out and get all the resource pools named "exchange_pool" and then on the new-vipermission line, feed all those into the -entity parameter and will cause the permission to be created on the matching objects. Because we use the Get-ResourcePool cmdlet, you're scoping the objects to only Resource Pools.
Thank you Justin.
I think you meant
$exchangePool = Get-ResourcePool resource_pool ... instead of ... $exchangePool = Get-ResourcePool exchange_pool.
Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.
If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.
I think you meant
$exchangePool = Get-ResourcePool resource_pool ... instead of ... $exchangePool = Get-ResourcePool exchange_pool.
I took "exchange_pool" from your example, assuming the name of the pool was "exchange_pool".
Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.
If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.
I'm not able to reproduce the behavior you're seeing. In my environment I have 2 resource pools named "ESX Agents" and one dvPortGroup named "ESX Agents"
I do
$resourcePool = Get-ResourcePool "ESX Agents"
$pGroup = Get-VDPortGroup "ESX Agents"
Then run one of each with the different entity types:
PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $resourcePool
WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.
WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.
Role Principal Propagate IsGroup
---- --------- --------- -------
Admin LAB\tuser1 True False
Admin LAB\tuser1 True False
PowerCLI C:\> $pgroup = Get-VDPortGroup "ESX Agents"
PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $pgroup
WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.
WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.
Role Principal Propagate IsGroup
---- --------- --------- -------
Admin LAB\tuser1 True False
I know the first one only affects Resource Pools because I check the dvPortGroup after running the first command and it doesn't add the permission. I run the second one, refresh on permissions tab of the dvPortGroup again and this time it appears.
Thanks very much for this.
I was trying trying this before.
I did $pg=Get-VDPortgroup "exchange_pools"
But then I did ..... --entity $pg.Name.
So just using $pg instead of $pg.Name works.
thanks again.