mbabu1
Enthusiast
Enthusiast
‎06-15-2023 05:36 AM

Add existing Domain service account to ESXi and map to role and add to exception users list

Hi,

I have the below script which was kindly put together by LucD.

The current script creates a local account, creates the role, maps the account to the role and adds user to the lockdown exceptions.

The change I wish to make is instead of creating a local account, I want the script to get the domain account RAC\svc_test_01 and carry out the rest accordingly.

Please help, any help will be much appreciated.

 

$newUsers = "svc_test_lt01","svc_test_lt02"
$newPassword = "VMware1!"
$roleName = "test_Role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if ($role) {
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
} else {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}

$accounts = @()
$newUSers | ForEach-Object -Process {
# If Account exists set new password, else create Account
$account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
if ($account) {
$account = Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
$account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
-Description 'test User Access' -UserAccount -Server $srv
}
$accounts += $account

# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
}

# Add users to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}

$accessMgr.UpdateLockdownExceptions($accounts)

if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}

Disconnect-VIServer -Server $srv -Confirm:$false
}

 

 

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-15-2023 05:54 AM

Besides the part for the creation/retrieval of the HostAccount, everything should be the same.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
mbabu1
Enthusiast
Enthusiast
‎06-15-2023 06:01 AM

Thanks LucD,

Can you let me know which lines to edit/change, so I can test the script please. Unfortunately, I'm not a scripter and trying my best to learn. :slightly_smiling_face:

Thanks

Mo

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-15-2023 06:11 AM

You could start with something like this

$newUsers = "RAC\svc_test_01", "RAC\svc_test_02"
$newPassword = "VMware1!"
$roleName = "test_Role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
    ForEach-Object -Process {
        $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01'
        $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

        # If Role exists assign new privileges, else create Role
        $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
        if ($role) {
            $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
        } else {
            $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
        }

        $newUSers | ForEach-Object -Process {
            # If Permission exists set new Role, else create Permission
            $folder = Get-Folder -Name "root" -Server $srv
            $perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
            if (!$perm) {
                $perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
            } else {
                $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
            }
        }

        # Add users to lockdown exceptions
        $esx = Get-VMHost
        $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

        $oldLockDownMode = $accessMgr.LockdownMode
        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
        }

        $accessMgr.UpdateLockdownExceptions($newUSers)

        if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
            $accessMgr.ChangeLockdownMode($oldLockDownMode)
        }

        Disconnect-VIServer -Server $srv -Confirm:$false
    }


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
mbabu1
Enthusiast
Enthusiast
‎06-23-2023 03:46 AM

Hi LucD,

Worked like a dreammmmmmmmmmmmmmmmmm...!

Again thank you and god bless you :slightly_smiling_face:

Reply
0 Kudos