5 Replies Latest reply on Nov 10, 2017 6:41 AM by LittleNickey

    Multiple connections to the same VC?

    LittleNickey Enthusiast

      Hi,

       

      I've been trying to get around the issue that some users don't have permissions to set DRS cluster group membership by connecting an additional user ("service account") to the same VC who has "modify cluster" permissions.

      I've tried specifying the server using -Server ($global:DefaultVIServers | ?{$_.User -eq $ServiceAccount}) and it works when running manually, but when I run it in a script file it throws below error:

       

      Set-DrsClusterGroup : 2017-11-08 15:54:17 Set-DrsClusterGroup Permission to perform this operation was denied. Required

      privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.

      + ... " | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...

      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

          + CategoryInfo          : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission

          + FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCore

      .Cmdlets.Commands.SetDrsClusterGroup

       

       

      I've tried disconnecting the user then connecting the service account and it works when running manually, but when I run it in a script file it throws below error.

       

      Get-DrsClusterGroup : 2017-11-09 10:42:24 Get-DrsClusterGroup Server domain\username@vcenter.domain.local:443 is not connected.

      + ...             Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name ...

      +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

          + CategoryInfo          : InvalidArgument: (:) [Get-DrsClusterGroup], ViServerConnectionException

          + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_TryVerifyIsConnected_NotConnected,VMware.VimAutomation.Vi

      Core.Cmdlets.Commands.GetDrsClusterGroup

       

       

      Command: Get-DrsClusterGroup -Type VMGroup -Cluster $Cluster -Name $DRSGroup | Set-DrsClusterGroup -Add -VM $VMName

      Powershell Version: 5.1.15063.674

      PowerCLI Version: 6.5.2.6234650

       

       

      It seems that the first user I connect with keep running commands even if I disconnect the user session and connect a new one when running it as a script, not as a terminal.

      How can I switch user/connection in a script or specify which user/connection to use when running a command that does not have the -User parameter?

        • 1. Re: Multiple connections to the same VC?
          LucD Guru
          Community WarriorsUser ModeratorsvExpert

          Did you check the content of $global:defaultviservers?

          Are there 2 connections liste din there?

          If yes, run Set-DrsClusterGroup with the Server parameter, and reference the entry with the service account.

          • 2. Re: Multiple connections to the same VC?
            LittleNickey Enthusiast

            Hi,

             

            that was what I'm doing and now I've double checked the dual-credentials by printing it right before:

             

            Name                           Port  User

            ----                           ----  ----

            VC              443   Domain\SA_VMware_Test

            VC              443   Domain\test_adm

             

            VERBOSE: 16:15: Setting DRS Group membership...

            VERBOSE: 2017-11-09 16:15:50 Set-DrsClusterGroup Started execution

            VERBOSE: Should perform operation 'Update DRS cluster group' on 'Site1 VMs'?

            Set-DrsClusterGroup : 2017-11-09 16:15:52       Set-DrsClusterGroup             Permission to perform this operation was denied. Require

            d privilege 'Host.Inventory.EditCluster' on managed object with id 'ClusterComputeResource-domain-c5869'.

            + ... VMs" | Set-DrsClusterGroup -Server ($Global:DefaultVIServers | ? ...

            +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                + CategoryInfo          : NotSpecified: (:) [Set-DrsClusterGroup], NoPermission

                + FullyQualifiedErrorId : Client20_ComputeResourceServiceImpl_SetDrsClusterGroup_ViError,VMware.VimAutomation.ViCo

               re.Cmdlets.Commands.SetDrsClusterGroup

             

            VERBOSE: 2017-11-09 16:15:52 Set-DrsClusterGroup Finished execution

             

            When I run the code slimmed down in a script it works and I cannot reproduce the error, but in a larger script where the Set-DRS command is part of a function in a module and the Connect-VIServer is performed in a script which uses the function I get above error. The $global:defaultviservers still shows both accounts, but even if I specify -Server ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) it seems to be using the "user" account, not the "service" account which has the permissions. Not sure why though...

             

            I've even tried printing ($global:defaultviservers | ?{$_.User -eq "Domain\SA_VMware_Test"}) which shows only the correct connection.

            • 3. Re: Multiple connections to the same VC?
              LucD Guru
              vExpertUser ModeratorsCommunity Warriors

              Did you already try saving the output of both Connect-VIServer cmdlets in separate variables, and then using those variables on the Server parameter?

              • 5. Re: Multiple connections to the same VC?
                LittleNickey Enthusiast

                I broke the DRS part out of the function and executed it afterwards instead which seems to have solved the issue.