In addition to the above the 'newuser1' needs to be added to the Exception users under lockdown mode.Thanks

Try something like this

$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
  $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
  $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
  $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
  if (!$role) {
    $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
  }
  $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
  if ($account) {
    Set-VMHostAccount -UserAccorount $account -Password $newPassword
  } else {
    New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
      -AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
  }
  $folder = Get-Folder -Name "ha-folder-root" -Server $srv
  $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
  if (!$perm) {
    New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
  } else {
    Set-VIPermission -Permission $perm -Role $role -Propagate
  }

  # Add user to lockdown exceptions
  $esx = Get-VMHost
  $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
  $accessMgr.UpdateLockdownExceptions($account)

  Disconnect-VIServer -Server $srv -Confirm:$false
}

Hi LucD,

Thank you for the above, I am getting the attached error. Please advise where i'm going wrong. I am testing this on one host atm.

Thanks

Mo

That 1st error seems to indicate you have multiple open connections.
Check what is $global:defaultVIServers.

Then there are a number of other errors.
- your current ESXi version does not support LocalGroups anymore
- again some errors indicating you have a VCSA connection open

Thanks LucD,

I have force disconnected the vcsa connections and re-run the script. 

Version of vCenter is 6.7 18485185

Host is  VMware ESXi, 6.7.0, 16316930.

I now get the attached error.

Please advise Thanks

I think the error is very clear, the LocalGroup option is not supported anymore.
That script will not work in your environment.

Thanks LucD,

Is there a script in your arsenal that will work in my environment? Please share and I can test.

Thanks in advance 

Many Thanks

Mo

Hi LucD,

I have managed to edit the script as follows and got it working, but the following is not working:

1. Adding to exception user list is not working

2. Disable the lockdown mode, add the user and enable it again. (disable and enable commands missing)

$newUser = "testuser"
$newPassword = "Password123"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password1234'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if (!$role) {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
Set-VIPermission -Permission $perm -Role $role -Propagate
}

# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$accessMgr.UpdateLockdownExceptions($account)

Disconnect-VIServer -Server $srv -Confirm:$false
}

Please can you do your magic

Have look at Re: Having issues with adding a user to the except... - VMware Technology Network VMTN

Try something like this

$newUser = "testuser"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
  $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
  $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

  # If Role exists assign new privileges, else create Role
  $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
  if($role){
    $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
  }
  else{
    $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
  }

  # If Account exists set new password, else create Account
  $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
  if ($account) {
    $account = Set-VMHostAccount -UserAccount $account -Password $newPassword
  } else {
    $account = New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
      -Description 'Test user creation' -UserAccount -Server $srv
  }

  # If Permission exists set new Role, else create Permission
  $folder = Get-Folder -Name "root" -Server $srv
  $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
  if (!$perm) {
    $perm = New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
  } else {
    $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
  }

  # Add user to lockdown exceptions
  $esx = Get-VMHost
  $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

  $oldLockDownMode = $accessMgr.LockdownMode
  if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled){
    $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
  }

  $accessMgr.UpdateLockdownExceptions($account)

  if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
    $accessMgr.ChangeLockdownMode($oldLockDownMode)
  }

  Disconnect-VIServer -Server $srv -Confirm:$false
}

Hi LucD,

Thank you for the above, the script creates the role with the correct permissions but fails to create the user and add the user to the exception users list in lockdown mode.

See attached errors for your reference.

Please advise and let me know if I am doing something wrong.

Thanks in advance.

The account creation still tries to assign a group, that is not supported anymore.
That is what the error is saying, I don't see anything related to an exception list

Hi LucD,

Its strange we don't see an error for not adding to the exceptions list. When we try the attached script, it creates the user and adds it to the exception list, but doesn't create the role. Can we use the commands for adding to the exceptions list from the attached and add it to the above script you have created. Then we can test if it works.

You can do whatever you want, even ask Wouter.

For me the snippet creates the Role, not sure why it wouldn't work for you.
At least there should be an error message if something goes wrong.

Hi LucD,

Apologies, I was making a silly mistake when editing the script. As always all works like a dream...you Da Genius.

If  I want to add two users at the same time (testuser1 and testuser2) can I do this on the same script or do i need to run the script twice changing the newuser field. And will have to add the below somewhere in the above script aswell I assume.

$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$currentUsers = $HostAcces.QueryLockdownExceptions()
$newUsers = $currentUsers + $username
$HostAccess.UpdateLockdownExceptions($newUsers)

You could do something like this

$newUsers = "testuser1", "testuser2"
$newPassword = "VMware1!"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
    ForEach-Object -Process {
        $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!'
        $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

        # If Role exists assign new privileges, else create Role
        $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
        if ($role) {
            $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
        } else {
            $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
        }

        $accounts = @()
        $newUSers | ForEach-Object -Process {
            # If Account exists set new password, else create Account
            $account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
            if ($account) {
                $account = Set-VMHostAccount -UserAccount $account -Password $newPassword
            } else {
                $account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
                    -Description 'Test user creation' -UserAccount -Server $srv
            }
            $accounts += $account

            # If Permission exists set new Role, else create Permission
            $folder = Get-Folder -Name "root" -Server $srv
            $perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
            if (!$perm) {
                $perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
            } else {
                $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
            }
        }

        # Add users to lockdown exceptions
        $esx = Get-VMHost
        $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

        $oldLockDownMode = $accessMgr.LockdownMode
        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
        }

        $accessMgr.UpdateLockdownExceptions($accounts)

        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode($oldLockDownMode)
        }

        Disconnect-VIServer -Server $srv -Confirm:$false
    }

Hi LucD,

Perfect, the above works perfectly. I have found the cluster has all the hosts in lockdown mode (Normal) and I need to manually disable the lockdown mode for the script to access the host and run accordingly.

Is there anyway of adding in the script to disable lockdown mode, run the script and enable lockdown mode at the end. I assume you will need to access the vCenter. Happy to add in the vCenter name.

Please advise.

Many Thanks

Not while you are connected to the ESXi node itself.
When you have all these ESXi nodes connected to a vCenter, you could probably automate it from there.

Thanks LucD,

Is the a sperate small script available I can run to disable/enable the lockdown mode in the environment using the vcenter.

Thanks in advance.

Mo