4 Replies Latest reply on Mar 4, 2013 10:20 AM by BGilbert64

    Setting permissions on a VM

    BGilbert64 Novice

      We are running a VM hosting service. I have written scripts to create, delete, and update virtual machines. The problem I'm having is setting permissions on a VM. We have Active Directory (AD) groups for managing permissions on the VMs. I am able to add these AD groups manually through the vCenter console to the permissions tab on a VM but I have been unable to script the process. We are running vCenter 5.0. Any help would be greatly appreciated!

        • 1. Re: Setting permissions on a VM
          Hoschi201110141 Enthusiast

          Hi

           

          I've done this some time ago.. also within a vSphere 5 environment (no SSO).
          After some googling.. i've found some example code which i've reused:

           

          Unfortunately.. i'm not able to test the snippet while i write this post.. but i guess it's a starting-point for you:

           

          ---------------------------

           

          $vmguest = get-vm -name MyServer

           

          $mrdgrp = new-qadGroup -ParentContainer $mrdOUb -name "$mrdgrppfx$vmguest" -samAccountName "$mrdgrppfx$vmguest" -grouptype 'Security' -GroupScope 'DomainLocal'

           

             $vmID = $vmguest.Id
             $viRole = Get-VIRole -Name VirtualMachineUser
             $authMgr = Get-View AuthorizationManager
             $vmi = $vmguest | Get-View
             $perm = $authMgr.RetrieveEntityPermissions($vmi.MoRef, $true)
             $perm = New-Object VMware.Vim.Permission
             $perm.group = $true
             $perm.principal = $mrdgrp
             $perm.propagate = $true
             $perm.roleId = $viRole.Id
             $authMgr.SetEntityPermissions($vmi.MoRef, $perm)

          ---------------------------

           

           

          BR

           

          Adrian

          • 2. Re: Setting permissions on a VM
            BGilbert64 Novice

            Thanks, Adrian! I have modified your script slightly since my AD groups already exist. The only line I changed was

             

            $mrdgrp = Get-ADGroup $ADVMGroupName

             

            The very last line in your script is giving me problems.

             

            $authMgr.SetEntityPermissions($vmi.MoRef, $perm) is throwing the error:

             

            Exception calling "SetEntityPermissions" with "2" argument(s): "The user or group named 'CN=VMCA_group_name,OU=CloudVMConsoleAccessGroups,DC=a***,DC=C********,DC=EDU' does not exist."
            At C:\Util\VMwareGroupTest.ps1:34 char:33
            +    $authMgr.SetEntityPermissions <<<< ($vmi.MoRef, $perm)
                + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
                + FullyQualifiedErrorId : DotNetMethodException

            That group does exist in AD and is found when I run the Get-ADGroup line. Any thoughts?

            • 3. Re: Setting permissions on a VM
              Hoschi201110141 Enthusiast

              Hi B

               

              Assuming you have not multiple AD Sites with Replication Problems / Latency ore something ... perhaps this could be an issue:

               

               

              In my script i user QAD-Cmdlets ... as i wrote this script powershell had no "default"-module

              It might be that the QAD-Cmdlets returns other strings by default than them from Microsoft.

               

              I suggest to play with this line to get an answer.. i'm not able to test this now.. excuse..:

               

               

                   $perm.principal = $mrdgrp

                   # Does "principal" eventualy implies PrincipalName? Something like:

                   $perm.principal = 'VMCA_group_name@C********.EDU'

               

                   # Or second try..

                   $perm.principal = 'C********\VMCA_group_name'

              • 4. Re: Setting permissions on a VM
                BGilbert64 Novice

                Adrian,

                 

                You were exactly right. I needed to change the  $perm.pricipal to the form domain\group name for it to work. Thanks so much for your help!!!!

                 

                Brian