VMware Cloud Community
vmsiul
Enthusiast
Enthusiast

vRA 8.6 | How to add "requesting" User to local Admin Group

Hello, 

First of all all thanks everyone for your feedback on this one...

We have been looking for different ways to get the vRA requesting user added to the local admin group for Windows and Linux VMs. One way to do that is by using Cloud-Init/Cloud-base and the use of  "env.requestedBy" the for example in Windows we can then use Powershell to get the user in the local admin group.  

Since we are using Ansible to join the Windows VMs into the domain and do everything else needed via playbook we can not use this approach because Cloud-Base will run before the Ansible playbook will be executed which means that the machine will not be in the domain yet. 

I was wondering if someone has some ideas on how to do this using Ansible. I am not sure if there is a way to use "env.requestedBy" somehow in Ansible so we can then add the user as part of the local Administrator group in one of the the steps of the playbook once the VM is added to the domain. 

Otherwise is there a way within the blueprint to change the order so the ansible playbook is completed first and then run the Cloud-base/Cloud-init commands afterwards to add the env.requestedBy user to the local admin group? 

Any help here would be greatly appreciated. 

Thank you!

Reply
0 Kudos
5 Replies
paul_xtravirt
Expert
Expert

Hey, on the Ansible side of things I would suggest you have a look at using something like this.

If you need to pass information I suggest looking at HostVariables, to pass info from the yaml to ansible. There is a good example in the official documentation that can be read here.

Hope this helps!

 

If you found this helpful, please consider awarding some points
Reply
0 Kudos
vmsiul
Enthusiast
Enthusiast

Thanks Paul, 

For testing I've been trying to the following:

- name: Add a local and domain user to a local group
ansible.windows.win_group_membership:
name: Remote Desktop Users
members:
- NewLocalAdmin
- mytestdomain\"{{ reqUser }}"

state: present

in the blueprint I had defined the following var 

hostVariables: |

reqUser: '$(env.requestedBy}'

From what I found requestedBy is vRA var that's contains the user that's performing the request. 

When I run the the Cloud Template / blueprint I get syntax error. 

Any ideas what can be wrong here? Might be something with - mytestdomain\"{{ reqUser }}

Thank you so much! 

Reply
0 Kudos
paul_xtravirt
Expert
Expert

Have you tried it without the quotes? Is your spacing correct? the reqUser line needs to be indented. If your yaml formatting isnt correct then it wont work. Have you tried the example I linked you to in my last reply? Does that example work ok?

hostVariables: |

  reqUser: $(env.requestedBy}

If you found this helpful, please consider awarding some points
Reply
0 Kudos
vmsiul
Enthusiast
Enthusiast

Hello, 

For some reason the variable requestedBy is seen by ansible like this there isn't a user value to it. 

 TASK [debug] ************************************************************************************************************************************
ok: [172.100.2.93] => {
"msg": "$(env.requestedBy}"
}

-----------------

Cloud Template is the following:

----------------

formatVersion: 1
inputs:
machineName:
type: string
title: VM Hostname
description: Enter hostname for the VM
vm-size:
type: string
title: VM Size
description: User to enter the size of the VM
enum:
- Small (1vCPU|2Gb)
resources:
Cloud_vSphere_Machine_1:
type: Cloud.vSphere.Machine
properties:
image: w2k6_ansible
cpuCount: 1
totalMemoryMB: 1024
hostName: '${input.machineName}'
reqUser: '$(env.requestedBy}'
networks:
- network: '${resource.Cloud_vSphere_Network_1.id}'
name: ''
Cloud_vSphere_Network_1:
type: Cloud.vSphere.Network
properties:
networkType: existing
Cloud_Ansible_1:
type: Cloud.Ansible
properties:
authentication: usernamePassword
inventoryFile: /home/ansible/inventory
username: user
password: XXX
hostName: '${resource.Cloud_vSphere_Machine_1.networks[0].address}'
groups:
- win
playbooks:
provision:
- /home/ansible/windows.yml
hostVariables: |
message: Hello ${env.requestedBy}
project: ${env.projectName}
hostName: ${input.machineName}
reqUser: $(env.requestedBy}
osType: windows
maxConnectionRetries: 30
account: DEV Ansible Control Machine
host: '${resource.Cloud_vSphere_Machine_1.*}'

I am not sure if I am doing something wrong, or requestedBy isn't working. Ultimately all I want to do is to pass the requestedBy, the user that requested the deployment as a member of the local administrator group using ansible. If I use the example you've provided and get the DOMAIN\user statically this the deployment and the ansible playbook work as expected. 

I've also noticed that in the Deployment/Topology the message I do with the variable is picking up the correct user, but the other ones comes as  reqUser: $(env.requestedBy}

Custom properties
Name Value
endpointIda3741c42-6d5f-4a53-893a-582c30f8e4a0
endpointTypeansible
groups["winserver"]
hostName172.2.8.10
hostVariablesmessage: Hello admin project: PRJ-T hostName: win30 reqUser: $(env.requestedBy}
inventoryFile/home/ansible/inventory
previousHostName172.8.8.10
resourceLink9f08ff8d-385f-407f-97e8-d89d39e5c7a8

 

Reply
0 Kudos
Arunkumarbcd
Contributor
Contributor

Hi All,

Thanks for starting this thread on adding the requesting user to local admin group in Windows. In VRA7.6 version, i was able to get this using the vmguest agent and the custom properties combination of adding a small executable in the template. In VRA8 I had been trying to achieve this using the cloud base init and unsuccessful. I am trying to execute powershell using cloud config as below. Can someone guide if there is better/easy way to achieve this. 

Note: Local Admins are not enabled in template and customization spec is running to add vm to domain

cloudConfig: |
#cloud-config
write_files:
content: Cloudbase-Init test
path: C:\test.txt
#ps1_sysnative
Add-LocalGroupMember -Group "Administrators" -Member "${env.requestedBy}"

 

Reply
0 Kudos