mbabu1
Enthusiast
Enthusiast
‎06-15-2023 05:36 AM

Add existing Domain service account to ESXi and map to role and add to exception users list

Hi,

I have the below script which was kindly put together by LucD.

The current script creates a local account, creates the role, maps the account to the role and adds user to the lockdown exceptions.

The change I wish to make is instead of creating a local account, I want the script to get the domain account RAC\svc_test_01 and carry out the rest accordingly.

Please help, any help will be much appreciated.

 

$newUsers = "svc_test_lt01","svc_test_lt02"
$newPassword = "VMware1!"
$roleName = "test_Role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if ($role) {
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
} else {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}

$accounts = @()
$newUSers | ForEach-Object -Process {
# If Account exists set new password, else create Account
$account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
if ($account) {
$account = Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
$account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
-Description 'test User Access' -UserAccount -Server $srv
}
$accounts += $account

# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
}

# Add users to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}

$accessMgr.UpdateLockdownExceptions($accounts)

if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}

Disconnect-VIServer -Server $srv -Confirm:$false
}

 

 

Reply
0 Kudos