topic Re: All multiple privileges fao LucD in VMware PowerCLI Discussions

Add multiple privileges fao LucD - Help

mbabu1 — Fri, 05 May 2023 09:23:21 GMT

Hi LucD,

I hope your well, I have found the following script and wish to replace the 'datastore.browse' privilege with the following:

Root>Authorisation>ModifyPermissions

Root>Host>Config> SystemManagement

Root>Host>Local> ManageUserGroups

Root>System>All

Do I add a line for each of the above or is there an easier way. Please advise and feel free to edit your script

$newUser = "newuser1"
$newPassword = "Password123"
$roleName = "test_role"

Import-Csv "C:\Temp\Mo\hosts.csv" | %{
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword'
$priv = Get-VIPrivilege -Server $srv | where {$_.Id -eq "Datastore.Browse"}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if(!$role){
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if($account){
Set-VMHostAccount -UserAccount $account -Password $newPassword }
else{
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "ha-folder-root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if(!$perm){
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
}
else{
Set-VIPermission -Permission $perm -Role $role -Propagate
}
Disconnect-VIServer -Server $srv -Confirm:$false
}

Re: All multiple privileges fao LucD

mbabu1 — Thu, 04 May 2023 17:00:39 GMT

In addition to the above the 'newuser1' needs to be added to the Exception users under lockdown mode.Thanks

Re: All multiple privileges fao LucD

LucD — Fri, 05 May 2023 11:13:52 GMT

Try something like this

$newUser = "newuser1" $newPassword = "Password123" $roleName = "test_role" $privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups' Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object { $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'rootpassword' $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges} $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue if (!$role) { $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false } $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue if ($account) { Set-VMHostAccount -UserAccorount $account -Password $newPassword } else { New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true ` -AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv } $folder = Get-Folder -Name "ha-folder-root" -Server $srv $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue if (!$perm) { New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false } else { Set-VIPermission -Permission $perm -Role $role -Propagate } # Add user to lockdown exceptions $esx = Get-VMHost $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager $accessMgr.UpdateLockdownExceptions($account) Disconnect-VIServer -Server $srv -Confirm:$false }

Re: All multiple privileges fao LucD

mbabu1 — Fri, 05 May 2023 11:32:47 GMT

Hi LucD,

Thank you for the above, I am getting the attached error. Please advise where i'm going wrong. I am testing this on one host atm.

Thanks

Re: All multiple privileges fao LucD

LucD — Fri, 05 May 2023 11:38:43 GMT

That 1st error seems to indicate you have multiple open connections.
Check what is $global:defaultVIServers.

Then there are a number of other errors.
- your current ESXi version does not support LocalGroups anymore
- again some errors indicating you have a VCSA connection open

Re: All multiple privileges fao LucD

mbabu1 — Fri, 05 May 2023 14:55:10 GMT

Thanks LucD,

I have force disconnected the vcsa connections and re-run the script.

Version of vCenter is 6.7 18485185

Host is VMware ESXi, 6.7.0, 16316930.

I now get the attached error.

Please advise Thanks

Re: All multiple privileges fao LucD

LucD — Fri, 05 May 2023 15:33:35 GMT

I think the error is very clear, the LocalGroup option is not supported anymore.
That script will not work in your environment.

Re: All multiple privileges fao LucD

mbabu1 — Fri, 05 May 2023 15:41:53 GMT

Thanks LucD,

Is there a script in your arsenal that will work in my environment? Please share and I can test.

Thanks in advance

Many Thanks

Re: All multiple privileges fao LucD

mbabu1 — Fri, 05 May 2023 19:59:33 GMT

Hi LucD,

I have managed to edit the script as follows and got it working, but the following is not working:

1. Adding to exception user list is not working

2. Disable the lockdown mode, add the user and enable it again. (disable and enable commands missing)

$newUser = "testuser"
$newPassword = "Password123"
$roleName = "testing"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password1234'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges}
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if (!$role) {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}
$account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue
if ($account) {
Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true `
-AssignGroups 'root' -Description 'Test user creation' -UserAccount -Server $srv
}
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue
if (!$perm) {
New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
Set-VIPermission -Permission $perm -Role $role -Propagate
}

# Add user to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager
$accessMgr.UpdateLockdownExceptions($account)

Disconnect-VIServer -Server $srv -Confirm:$false
}

Please can you do your magic

Re: All multiple privileges fao LucD

LucD — Fri, 05 May 2023 20:57:56 GMT

Have look at Re: Having issues with adding a user to the except... - VMware Technology Network VMTN

Re: All multiple privileges fao LucD

LucD — Mon, 08 May 2023 13:41:46 GMT

Try something like this

$newUser = "testuser" $newPassword = "VMware1!" $roleName = "testing" $privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups' Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object -Process { $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!' $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges } # If Role exists assign new privileges, else create Role $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue if($role){ $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false } else{ $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false } # If Account exists set new password, else create Account $account = Get-VMHostAccount -Id $newUser -ErrorAction SilentlyContinue if ($account) { $account = Set-VMHostAccount -UserAccount $account -Password $newPassword } else { $account = New-VMHostAccount -Id $newUser -Password $newPassword -GrantShellAccess:$true ` -Description 'Test user creation' -UserAccount -Server $srv } # If Permission exists set new Role, else create Permission $folder = Get-Folder -Name "root" -Server $srv $perm = Get-VIPermission -Entity $folder -Principal $newUser -ErrorAction SilentlyContinue if (!$perm) { $perm = New-VIPermission -Entity $folder -Principal $newUser -Role $role -Server $srv -Propagate $true -Confirm:$false } else { $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true } # Add user to lockdown exceptions $esx = Get-VMHost $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager $oldLockDownMode = $accessMgr.LockdownMode if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled){ $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled) } $accessMgr.UpdateLockdownExceptions($account) if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) { $accessMgr.ChangeLockdownMode($oldLockDownMode) } Disconnect-VIServer -Server $srv -Confirm:$false }

Re: All multiple privileges fao LucD

mbabu1 — Mon, 08 May 2023 13:33:56 GMT

Hi LucD,

Thank you for the above, the script creates the role with the correct permissions but fails to create the user and add the user to the exception users list in lockdown mode.

See attached errors for your reference.

Please advise and let me know if I am doing something wrong.

Thanks in advance.

Re: All multiple privileges fao LucD

LucD — Mon, 08 May 2023 13:43:29 GMT

The account creation still tries to assign a group, that is not supported anymore.
That is what the error is saying, I don't see anything related to an exception list

Re: All multiple privileges fao LucD

mbabu1 — Mon, 08 May 2023 14:29:01 GMT

Hi LucD,

Its strange we don't see an error for not adding to the exceptions list. When we try the attached script, it creates the user and adds it to the exception list, but doesn't create the role. Can we use the commands for adding to the exceptions list from the attached and add it to the above script you have created. Then we can test if it works.

Re: All multiple privileges fao LucD

LucD — Mon, 08 May 2023 15:31:01 GMT

You can do whatever you want, even ask Wouter.

For me the snippet creates the Role, not sure why it wouldn't work for you.
At least there should be an error message if something goes wrong.

Re: All multiple privileges fao LucD

mbabu1 — Mon, 08 May 2023 16:56:10 GMT

Hi LucD,

Apologies, I was making a silly mistake when editing the script. As always all works like a dream...you Da Genius.

If I want to add two users at the same time (testuser1 and testuser2) can I do this on the same script or do i need to run the script twice changing the newuser field. And will have to add the below somewhere in the above script aswell I assume.

$HostAccess = Get-View -Id $vmhost.ExtensionData.ConfigManager.HostAccessManager
$currentUsers = $HostAcces.QueryLockdownExceptions()
$newUsers = $currentUsers + $username
$HostAccess.UpdateLockdownExceptions($newUsers)

Re: All multiple privileges fao LucD

LucD — Mon, 08 May 2023 17:15:28 GMT

You could do something like this

$newUsers = "testuser1", "testuser2" $newPassword = "VMware1!" $roleName = "testing" $privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups' Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object -Process { $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Welcome2022!' $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges } # If Role exists assign new privileges, else create Role $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue if ($role) { $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false } else { $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false } $accounts = @() $newUSers | ForEach-Object -Process { # If Account exists set new password, else create Account $account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue if ($account) { $account = Set-VMHostAccount -UserAccount $account -Password $newPassword } else { $account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true ` -Description 'Test user creation' -UserAccount -Server $srv } $accounts += $account # If Permission exists set new Role, else create Permission $folder = Get-Folder -Name "root" -Server $srv $perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue if (!$perm) { $perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false } else { $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true } } # Add users to lockdown exceptions $esx = Get-VMHost $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager $oldLockDownMode = $accessMgr.LockdownMode if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) { $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled) } $accessMgr.UpdateLockdownExceptions($accounts) if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) { $accessMgr.ChangeLockdownMode($oldLockDownMode) } Disconnect-VIServer -Server $srv -Confirm:$false }

Re: All multiple privileges fao LucD

mbabu1 — Mon, 08 May 2023 18:07:46 GMT

Hi LucD,

Perfect, the above works perfectly. I have found the cluster has all the hosts in lockdown mode (Normal) and I need to manually disable the lockdown mode for the script to access the host and run accordingly.

Is there anyway of adding in the script to disable lockdown mode, run the script and enable lockdown mode at the end. I assume you will need to access the vCenter. Happy to add in the vCenter name.

Please advise.

Many Thanks

Re: All multiple privileges fao LucD

LucD — Mon, 08 May 2023 18:10:58 GMT

Not while you are connected to the ESXi node itself.
When you have all these ESXi nodes connected to a vCenter, you could probably automate it from there.

Re: All multiple privileges fao LucD

mbabu1 — Mon, 08 May 2023 18:17:53 GMT

Thanks LucD,

Is the a sperate small script available I can run to disable/enable the lockdown mode in the environment using the vcenter.

Thanks in advance.