topic Re: Add existing Domain service account to ESXi and map to role and add to exception users list in VMware PowerCLI Discussions

Add existing Domain service account to ESXi and map to role and add to exception users list

mbabu1 — Thu, 15 Jun 2023 12:36:22 GMT

Hi,

I have the below script which was kindly put together by LucD.

The current script creates a local account, creates the role, maps the account to the role and adds user to the lockdown exceptions.

The change I wish to make is instead of creating a local account, I want the script to get the domain account RAC\svc_test_01 and carry out the rest accordingly.

Please help, any help will be much appreciated.

$newUsers = "svc_test_lt01","svc_test_lt02"
$newPassword = "VMware1!"
$roleName = "test_Role"
$privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups'

Import-Csv "C:\Temp\Mo\hosts.csv" |
ForEach-Object -Process {
$srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01'
$priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges }

# If Role exists assign new privileges, else create Role
$role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue
if ($role) {
$role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false
} else {
$role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false
}

$accounts = @()
$newUSers | ForEach-Object -Process {
# If Account exists set new password, else create Account
$account = Get-VMHostAccount -Id $_ -ErrorAction SilentlyContinue
if ($account) {
$account = Set-VMHostAccount -UserAccount $account -Password $newPassword
} else {
$account = New-VMHostAccount -Id $_ -Password $newPassword -GrantShellAccess:$true `
-Description 'test User Access' -UserAccount -Server $srv
}
$accounts += $account

# If Permission exists set new Role, else create Permission
$folder = Get-Folder -Name "root" -Server $srv
$perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue
if (!$perm) {
$perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false
} else {
$perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true
}
}

# Add users to lockdown exceptions
$esx = Get-VMHost
$accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager

$oldLockDownMode = $accessMgr.LockdownMode
if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled)
}

$accessMgr.UpdateLockdownExceptions($accounts)

if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) {
$accessMgr.ChangeLockdownMode($oldLockDownMode)
}

Disconnect-VIServer -Server $srv -Confirm:$false
}

Re: Add existing Domain service account to ESXi and map to role and add to exception users list

LucD — Thu, 15 Jun 2023 12:54:53 GMT

Besides the part for the creation/retrieval of the HostAccount, everything should be the same.

Re: Add existing Domain service account to ESXi and map to role and add to exception users list

mbabu1 — Thu, 15 Jun 2023 13:01:24 GMT

Thanks LucD,

Can you let me know which lines to edit/change, so I can test the script please. Unfortunately, I'm not a scripter and trying my best to learn.

Thanks

Re: Add existing Domain service account to ESXi and map to role and add to exception users list

LucD — Thu, 15 Jun 2023 13:11:50 GMT

You could start with something like this

$newUsers = "RAC\svc_test_01", "RAC\svc_test_02" $newPassword = "VMware1!" $roleName = "test_Role" $privileges = 'Authorization.ModifyPermissions', 'Host.Config.SystemManagement', 'Host.Local.ManageUserGroups' Import-Csv "C:\Temp\Mo\hosts.csv" | ForEach-Object -Process { $srv = Connect-VIServer -Server $_.Hostname -User 'root' -Password 'Password01' $priv = Get-VIPrivilege | Where-Object { $_.Id -in $privileges } # If Role exists assign new privileges, else create Role $role = Get-VIRole -Name $roleName -ErrorAction SilentlyContinue if ($role) { $role = Set-VIRole -Role $role -AddPrivilege $priv -Confirm:$false } else { $role = New-VIRole -Name $roleName -Privilege $priv -Server $srv -Confirm:$false } $newUSers | ForEach-Object -Process { # If Permission exists set new Role, else create Permission $folder = Get-Folder -Name "root" -Server $srv $perm = Get-VIPermission -Entity $folder -Principal $_ -ErrorAction SilentlyContinue if (!$perm) { $perm = New-VIPermission -Entity $folder -Principal $_ -Role $role -Server $srv -Propagate $true -Confirm:$false } else { $perm = Set-VIPermission -Permission $perm -Role $role -Propagate $true } } # Add users to lockdown exceptions $esx = Get-VMHost $accessMgr = Get-View $esx.ExtensionData.ConfigManager.HostAccessManager $oldLockDownMode = $accessMgr.LockdownMode if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) { $accessMgr.ChangeLockdownMode([VMware.Vim.HostLockdownMode]::lockdownDisabled) } $accessMgr.UpdateLockdownExceptions($newUSers) if ($oldLockDownMode -ne [VMware.Vim.HostLockdownMode]::lockdownDisabled) { $accessMgr.ChangeLockdownMode($oldLockDownMode) } Disconnect-VIServer -Server $srv -Confirm:$false }

Re: Add existing Domain service account to ESXi and map to role and add to exception users list

mbabu1 — Fri, 23 Jun 2023 10:46:14 GMT

Hi LucD,

Worked like a dreammmmmmmmmmmmmmmmmm...!

Again thank you and god bless you