1 2 Previous Next 15 Replies Latest reply on Aug 6, 2008 5:03 PM by wharlie

    Add local users to multiple servers

    conradsia Hot Shot

      I am looking to add some local users and I want to see if this can be done with powershell. I am completely new to powershell so I am looking for some direction. Any help will be appreciated.

       

      Thanks

        • 1. Re: Add local users to multiple servers
          LucD Guru
          vExpertCommunity WarriorsUser Moderators

          Where do you want to add these local users?

          To the ESX servers or to servers running as guests ?

          Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
          • 2. Re: Add local users to multiple servers
            halr9000 Master

            Do you have a virtual center server or not?  The answer affects how you work with multiple servers (but it can be done either way).

             

            Author of the upcoming book: Managing VMware Infrastructure with PowerShell

            Co-Host, PowerScripting Podcast (http://powerscripting.net)

            • 3. Re: Add local users to multiple servers
              Enthusiast

               

              If you are looking to add local users to ESX servers, there is a cmdlets called 'New-VMHostAccount' that can help you do that.

               

               

              Unfortunately there is no cmdlet for VC.

               

               

              1 person found this helpful
              • 4. Re: Add local users to multiple servers
                Master

                You could probably use something like Quest's Active Directory cmdlets to, for lack of a better way of describing it, "add users to VirtualCenter", assuming that you use Active Directory with VC.

                • 5. Re: Add local users to multiple servers
                  conradsia Hot Shot

                   

                  Hello,

                   

                   

                  Thanks for all the replies, yes we use virtual center, yes I use AD authentication to virtual center and yes we authenticate to the ESX servers using kerberos. I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add. I also need to add them to the sudoers file.

                   

                   

                  I think your answers will help get me going but any more suggestions are most definitely welcome.

                   

                   

                  • 6. Re: Add local users to multiple servers
                    halr9000 Master
                    conradsia wrote:

                    I need to add new admins to all of our ESX hosts when we hire on new people so I need a more efficient way to do this than logging in to each server and doing a user add.

                     

                    Try something like this (not tested):

                    param (
                         $Server, 
                         $UserID, 
                         $Password = "t3mpP@ss",
                         $Group = @("adm", "floppy", "gopher")
                    )
                    
                    $conn = connect-viserver -server $esx # you'll be prompted to login
                    $desc = "ESX Server Administrator Account"
                    $UserID | ForEach-Object {
                         new-vmhostaccount -server $conn -Id $_ -Description $Desc -Password $Password `
                              -AssignGroups $Group
                    }

                    Save as a file (e.g. makeAcct.ps1) and use like so:

                    PS > $esx = "server1", "server2", "server3"
                    PS > $users = "jsmith", "bsmith", "ksmith"
                    PS > .\makeAcct.ps1 -server $esx -userID $users

                    You may want to change those groups. 

                     

                     

                     

                     

                     

                    Author of the upcoming book: Managing VMware Infrastructure with PowerShell

                    Co-Host, PowerScripting Podcast (http://powerscripting.net)

                    • 7. Re: Add local users to multiple servers
                      wharlie Novice

                       

                      Hal,

                       

                       

                      I'm new to powershell.

                      I am using a script similar to yours.

                      The problem I am having is that it creates the new user account but doesn't give it shell access.

                       

                       

                      • 8. Re: Add local users to multiple servers
                        halr9000 Master

                        You'll need to use '-AssignGroups $Group' and choose a sensible default for that.

                         

                        Author of the upcoming book: Managing VMware Infrastructure with PowerShell

                        Co-Host, PowerScripting Podcast (http://powerscripting.net)

                        • 9. Re: Add local users to multiple servers
                          halr9000 Master

                          Note that you don't have to do it over...use Get-VMHostAccount to grab the user accounts you have created, then pipe to Set-VMHostAccount and use the AssignGroups parameter as you would with New-VMHostAccount.

                           

                          Get-VMHostAccount -id jsmith | set-vmhostaccount -assigngroups @("gopher", "ftp") # don't use these groups :)

                           

                          Author of the upcoming book: Managing VMware Infrastructure with PowerShell

                          Co-Host, PowerScripting Podcast (http://powerscripting.net)

                          • 10. Re: Add local users to multiple servers
                            wharlie Novice

                            I don't quiet understand.

                            When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.

                            No default shell as per line below from /etc/passwd.

                            newuser:x:502:501::/home/newuser:/bin/false

                            As I understand it needs to be

                            newuser:x:502:501::/home/newuser:/bin/bash

                             

                            Thanks for your help

                            • 11. Re: Add local users to multiple servers
                              halr9000 Master

                              When I create a new user with New-VMHostAccount it creates an account that doesn't have shell access.

                              No default shell as per line below from /etc/passwd.

                               

                              Oh!  I get it now.  Hmm...that's a good one...

                               

                              I'm gonna make a snap judgement and say that this may not be doable

                              using polite conventional means.  I mean, by design, you would not

                              normally give your ESX users shell access, no matter their level of

                              permission on the host server itself.  That is sort of crossing the

                              application boundary over to the COS (console OS).  It is entirely

                              possible that this is not doable from the VI SDK, and hence, not

                              /easy/ from PowerShell.

                               

                              Didn't say not possible though.  Let's hear a couple more opinions on

                              the VI SDK's abilities before I go down the no-vi-sdk route.

                               

                              --

                              Author, Tech Prosaic blog (http://halr9000.com)

                              Webmaster, Psi (http://psi-im.org)

                              Community Director, PowerShellCommunity.org

                              Co-host, PowerScripting Podcast (http://powerscripting.net)

                              Follow me on Twitter: http://twitter.com/halr9000

                              • 12. Re: Add local users to multiple servers
                                wharlie Novice

                                 

                                I should have mentioned this is only for top level ESX admins.

                                There are still lots of things things you can't do through the VC client.

                                We prefer our admins to log in with there own accounts and su to root if needed.

                                We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.

                                There are other ways I can do this but I thought I'd give powershell a go.

                                 

                                Thanks again

                                 

                                 

                                • 13. Re: Add local users to multiple servers
                                  halr9000 Master

                                  There are other ways I can do this but I thought I'd give powershell a go.

                                   

                                  Well, that's certainly what this forum is for.  It's just that if it

                                  cannot be done via the VI SDK then its gets ugly.

                                   

                                  I should have mentioned this is only for top level ESX admins.

                                   

                                  Oh, I don't care what you do.    I was just making sure that you did

                                  recognize the distinction betwixt COS and ESX admins.

                                   

                                  There are still lots of things things you can't do through the VC client.

                                   

                                  You mind starting a new thread with this list of things?  It would be

                                  a good seed for new scripts for others to write.

                                   

                                  We prefer our admins to log in with there own accounts and su to root if needed.

                                  We have 44 ESX 3.5 hosts and it's a pain to have to log into each host vi the VC client to create and delete accounts.

                                   

                                  Well, we can't have you doing it that way, that's just silly.

                                   

                                  Step 1. Download plink from the putty project

                                  (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and

                                  put it in your path.

                                  Step 2. Make a mess...

                                   

                                  This assumes that your ESX server namess are resolvable via DNS.

                                   

                                  $user = "root"
                                  $pass = "pass"
                                  # example sed cmd only...it'll enable shell access for *all* users
                                  $cmd = "sed -i 's/\/bin\/false/\/bin\/false/g' /etc/passwd"
                                  Get-VMHost | ForEach-Object {
                                          plink -batch -pw $pass "$user@$( $_.Name )" $cmd
                                  }

                                   

                                  Now is the time whre someone else writes your sed command--I'm not

                                  that skilled at those.  You'll may want to make a loop for each user,

                                  or you might for example just search for all lines which contain a

                                  certain group (e.g. wheel) and enable shell on those.

                                   

                                  -hal

                                  • 14. Re: Add local users to multiple servers
                                    Master

                                    Looks like something we left out. Can you try this as a temporary measure:

                                     

                                    function Create-ShellUser {
                                     param($id, $password=$null, $description=$null, $posixId=$null)
                                    
                                     $si = get-view serviceinstance
                                     $accountManager = get-view $si.Content.AccountManager
                                     $as = new-object VMware.Vim.HostPosixAccountSpec
                                     $as.id = $id
                                     $as.password = $password
                                     $as.description = $description
                                     $as.shellAccess = $true
                                     $as.posixId = $posixId
                                     $accountManager.CreateUser($as)
                                    }
                                    

                                     

                                    Sample usage: create-shelluser -id rewt -password pass

                                     

                                    Note that you need to connect directly to ESX to make this work, it seems to be a quirk of the underlying API.

                                    1 2 Previous Next