You could start with something like this
$newUsers = "RAC\svc_test_01", "RAC\svc_test_02"
$newPassword = "VMware1!"
$roleName = "test_Role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'
Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }
# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if ($role) {
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
} else {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$newUSers | ForEach-Object -Process {
# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
}
# Add users to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}
$accessMgr.UpdateLockdownExceptions($newUSers)
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}
Disconnect-VIServer -Server $srv -Confirm:$false
}
