xofox
Contributor
Contributor

Create vLans in personal folders with specific permission/role

Jump to solution

Hi, french & junior (vmWare) but still aliveSmiley Wink

Existing :

1DC/1Cluster/3ESXI/Vsphere6.7u2

VMware PowerCLI 11.5.0 build 14912921

PowerShell 5/1/14409/1018

vswitch0(management), vswitch1(vm)

2 Usergroups (G,U)

20 users/group (G201,...G220 ; U101,...U120)

Each user got his own private space (ex for user G201)

VMs&templates/G/G201 : VM1,VM2,,,

storage/G : here, no private folder, all the G group VMs are stored here.

networking/Pedago/G/G201 : G-lan-2010, G-lan-2011,..

vSwitch2 created, nic attached, no vlan created in yet.

Expecting :

Create 10 new vlan for each user of group 'G' (using a .csv import) in vswitch2.

- With role/permission (each user can see & operate only its own vm, & same for it own vlan)

- Each user vlan should reach the network folder of the user (to not have to drag it by mouse)

Bonus :

How can I get the full path to a user folder ? Are the vPG at root or in specific folders ?

For example : Network folder of user G201 is in folder 'G', wich is (i think) in 'Students', wich is (i m still not sure) in 'Pedago', wich is in.... network folder. 'Get-Folder' gave me some informations but I m not sure of the real good fullpath. I have to manage something I didn't instal.

Thanks a lot for your help, I had already some hours of search over the net about it and tried some scripts, sadly without the expected result.

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Are the pNICs used in the vSwitches connected to switch ports that have the same VLAN tagging?

This is probably not a VMware issue (since it works when on the same ESXi node) but might be a physical network issue.

Yes, for the VM migration question I would prefer a new thread.

Otherwise, this thread becomes too long and complex.

Make sure to document exactly what the current situation is and where you want to go.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
47 Replies
scott28tt
VMware Employee
VMware Employee

Moderator: Moved to PowerCLI

This is similar to your previous thread: Individual permissions on Esx resources (networks/portgroup, datastore/directory,...) from a list of...


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
0 Kudos
LucD
Leadership
Leadership

For the full path you could use my Get The Folderpath post.
The Portgroups on a VSS can be found in the Network folder of the Datacenter (although they are defined on each individual ESXi node).

I'm not sure about what you want to do with the new portgroups.
Since these are portgroup on a VSS, they need to be defined on each ESXi node in the cluster.
Is that what you want?

I'm not sure what you mean by "...Each user vlan should reach the network folder of the user"

Perhaps a screenshot of a sample setup would help?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

Thanks for your quick answer.

With Get-FolderPath, I got an error because of the 1st line (#requires -pssnapin..). After seeing your post here : ,

'VMWare.VimAutomation.Core' is not installed on this computer , I did a "Get-Folder | Get-FolderPath | Format-Table -AutoSize".

That will help me to be more understandable, I hope ! Smiley Happy

In the file getfolderpath.txt, I pasted just 1 user (UFA213 who is in the group GRETA (these users&groups exist in an AD)).

In the network-vsphere-client.jpg, a screenshot of the "networking page" in the vmware client.

You can see at the far bottom the vPG 'GRETA-LAN-2137' I created a few hours ago.

What I m looking forward to do is when I create it (or just after  if it's not possible +/- at that moment ?) is to find it in its good folder.

In this example, 'GRETA-LAN-2137' should have been in the (net)folder 'UFA213', in group 'GRETA', itself in 'PEDAGO' ; to make me feel happy & efficient.

And yes, 'GRETA-LAN-2137' has been defined in each ESXi node in the cluster.

Users' VMs can go everywhere in the cluster (+vMotion/DRS) but have to able to communicate each other according to their own vlan. I hope this last sentence was not more confusing that clearing my thought.

If another screenshot of a sample setup or anything else can help you to completely understand me, just tell me wich kind of.

Thanks a lot.

Christophe

0 Kudos
LucD
Leadership
Leadership

The New-VIPermission doesn't work for a VSS portgroup.

We have to revert to the API method.

See if the following is working for you?
Update the switch, ESXi node, portgroupname, principal and role

When it works for you, we can incorporate this in the original script (and replace the New-VIPermission).

function New-PGPermission{

    [cmdletbinding()]

    param(

        [string]$VMHost,

        [string]$Portgroup,

        [string]$Principal,

        [string]$Role

    )


    $authMgr = Get-View AuthorizationManager


    $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

    $esx = Get-VMHost -Name $VMHost

    $pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef

    $perm = New-Object VMware.Vim.Permission

    $perm.Entity = $pgMoRef

    $perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId

    $perm.Principal = $principal

    $perm.Group = $false

    $perm.Propagate = $false


    $authMgr.SetEntityPermissions($pgMoRef,@($perm))

}


$vssName = 'vSwitch0'

$pgName = 'TestPG'

$esxName = 'myesx'

$principal = 'domain\user'

$roleName = 'Admin'


$vss = Get-VirtualSwitch -Name $vssName -VMHost $esxName

Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -ErrorAction SilentlyContinue |

Remove-VirtualPortGroup -Confirm:$false


$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss

New-PGPermission -VMHost $esxName -Portgroup $pg.Name -Principal $principal -Role $roleName


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

I'm not sure to understand everything you wrote, but I executed the script on each esxi.

I updated the switch, ESXi node, portgroupname, principal and role

esxi1, seems to be ok, no message at the end, just the prompt.

esxi2 and 3 returned the error in attached docs.

The portgroup has been removed from/in(?) esxi1&2 but not in esxi3...

0 Kudos
LucD
Leadership
Leadership

That could mean two things.

  • The portgroup is not found. Which seems highly unlikely since it was just created.
  • A portgroup with the same name exists on another virtualswitch

What is returned when you do the following on esxi2 or esxi3?

Update the names for your environment.

$portgroupName = 'pg1'

$esxName = 'esxi2'


$esx = Get-VMHost -Name $esxName

(Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $portgroupName}).Name


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

Hi Luc,

A portgroup with the same name doesn't exist on another virtualswitch (checked in each vswitch of each esxi).

I launched the last short script you sent me. No return from esxi1 &2. esxi3 returned the name of the PG(GRETA-LAN-2137).

To be sure I've done the right things with the NewPGPermission script you sent me. Before I updated the variables, and launched the script on each esxi (the one after the other), I had already created the PG 'GRETA-LAN-2137' on the 3 esxi. Have I done the job in good order ?

I just tested to launch again several times the NewPGPermission script. Now, it creates the PG on esxi2&3 only, but not the both at the same time > the PG appears only on the last esxi I launched the script. Strange, no ? The esxi1 still returns the same error I got yesterday from esxi2&3. Finally, I launched again 2/3 times the script and esxi1 didn't return any error and created the PG 'GRETA-LAN-2137' in the vswitch2. But no more PG 'GRETA-LAN-2137' on esxi 2&3...

During these last tries, I have been disconnected from the client (but not in powercli/powershell), maybe nothing to do with, but ...?

For more information : This user account exists but no user or vm right now, so no use, actually, of its PG.

0 Kudos
LucD
Leadership
Leadership

The script I sent earlier was only for creating the PG and the permission on 1 ESXi node.

The script removes the PG with the same name on that ESXi node if it should already exist.

Did you adapt the script for running over all ESXi nodes in the cluster?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

Yes, I updated $esxName = 'esxi2' to 'esxi1' & 'esxi3'.

0 Kudos
LucD
Leadership
Leadership

Ok, try with this version.
It should create the PG and assign the permission on each ESXi node in a cluster.

function New-PGPermission{

    [cmdletbinding()]

    param(

        [string]$VMHost,

        [string]$Portgroup,

        [string]$Principal,

        [string]$Role

    )


    $authMgr = Get-View AuthorizationManager


    $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

    $esx = Get-VMHost -Name $VMHost

    $pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef

    $perm = New-Object VMware.Vim.Permission

    $perm.Entity = $pgMoRef

    $perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId

    $perm.Principal = $principal

    $perm.Group = $false

    $perm.Propagate = $false


    $authMgr.SetEntityPermissions($pgMoRef,@($perm))

}

$vssName = 'vSwitch0'

$pgName = 'TestPG'

$clusterName = 'cluster'

$principal = 'domain\user'

$roleName = 'Admin'


Get-Cluster -Name $clusterName | Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

    $vss = Get-VirtualSwitch -Name $vssName -VMHost $esx


    # Clean up old portgroup should it exist

    Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |

    Remove-VirtualPortGroup -Confirm:$false


    # Create new portgroup

    $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss


    # Assign permission

    New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

Nice,

On 1st try, I got PG created on the 3 esxi but with a final error message :

'

Exception calling "SetEntityPermissions" with "2" argument(s): "

Required parameter entity is missing

while parsing call information for method SetEntityPermissions

at line 1, column 171

while parsing SOAP body

at line 1, column 64

while parsing SOAP envelope

at line 1, column 0

while parsing HTTP request for method setEntityPermissions

on object of type vim.AuthorizationManager

at line 1, column 0"

At line:37 char:5

+     $authMgr.SetEntityPermissions($pgMoRef,@($perm))

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

Exception calling "SetEntityPermissions" with "2" argument(s): "

Required parameter entity is missing

while parsing call information for method SetEntityPermissions

at line 1, column 171

while parsing SOAP body

at line 1, column 64

while parsing SOAP envelope

at line 1, column 0

while parsing HTTP request for method setEntityPermissions

on object of type vim.AuthorizationManager

at line 1, column 0"

At line:37 char:5

+     $authMgr.SetEntityPermissions($pgMoRef,@($perm))

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

I launched the script one more time and then got the same result without any error msg.

But the PG

0 Kudos
LucD
Leadership
Leadership

That seems to indicate that the PG is not created or found.
Or there is a kind of ghost ESXi node in the cluster.

How many ESXi nodes are returned when you do a Get-Cluster | Get-VMHost?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

PS C:\Windows\system32> Get-Cluster | Get-VMHost

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version

----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------

al-esxi-02.sio.local Connected       PoweredOn      24        4450       50280         185,505         382,458   6.7.0

al-esxi-03.sio.local Connected       PoweredOn      24        3036       50280         174,881         382,458   6.7.0

al-esxi-01.sio.local Connected       PoweredOn      24        3689       50280         164,894         382,458   6.7.0

PS C:\Windows\system32> Get-VirtualPortGroup -Name "GRETA-LAN-2137" | Format-Table -AutoSize

Name           Key                                   VLanId PortBinding NumPorts

----           ---                                   ------ ----------- --------

GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137                      

GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137                      

GRETA-LAN-2137 key-vim.host.PortGroup-GRETA-LAN-2137 2137 

(I added in your script the VLanID '2137')

0 Kudos
LucD
Leadership
Leadership

Can you add a debug statement in there, for example a Write-Host inside the foreach loop.

That shows which ESXi node is being handled.

That way we could know for which ESXi node the issue occurs


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

I don't know how to do what you ask and in which script.

Do you mean this :

PS C:\Windows\system32> Get-Cluster | Get-VMHost | Write-Host | Format-Table -AutoSize

al-esxi-02.sio.local

al-esxi-03.sio.local

al-esxi-01.sio.local

PS C:\Windows\system32> Get-VirtualPortGroup -Name "GRETA-LAN-2137" | Write-Host | Format-Table -AutoSize

GRETA-LAN-2137

GRETA-LAN-2137

GRETA-LAN-2137

or this :

ForEach-Object -Process {

    $vss = Get-VirtualSwitch -Name $vssName -VMHost $esx |  Write-Host

    # Clean up old portgroup should it exist

    Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |

    Remove-VirtualPortGroup -Confirm:$false | Write-Host

    # Create new portgroup

    $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId 2137 | Write-Host

    # Assign permission

    New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName | Write-Host

}

Result :

vSwitch2

New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then

try the command again.

At line:67 char:61

+ ...  $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...

+                                                              ~~~~

    + CategoryInfo          : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup

Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the

command again.

At line:19 char:64

+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

+                                                                ~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup

Exception calling "SetEntityPermissions" with "2" argument(s): "

Required parameter entity is missing

while parsing call information for method SetEntityPermissions

at line 1, column 171

while parsing SOAP body

at line 1, column 64

while parsing SOAP envelope

at line 1, column 0

while parsing HTTP request for method setEntityPermissions

on object of type vim.AuthorizationManager

at line 1, column 0"

At line:37 char:5

+     $authMgr.SetEntityPermissions($pgMoRef,@($perm))

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

vSwitch2

New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then

try the command again.

At line:67 char:61

+ ...  $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...

+                                                              ~~~~

    + CategoryInfo          : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup

Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the

command again.

At line:19 char:64

+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

+                                                                ~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup

Exception calling "SetEntityPermissions" with "2" argument(s): "

Required parameter entity is missing

while parsing call information for method SetEntityPermissions

at line 1, column 171

while parsing SOAP body

at line 1, column 64

while parsing SOAP envelope

at line 1, column 0

while parsing HTTP request for method setEntityPermissions

on object of type vim.AuthorizationManager

at line 1, column 0"

At line:37 char:5

+     $authMgr.SetEntityPermissions($pgMoRef,@($perm))

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

vSwitch2

New-VirtualPortGroup : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null or empty. Provide an argument that is not null or empty, and then

try the command again.

At line:67 char:61

+ ...  $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId ...

+                                                              ~~~~

    + CategoryInfo          : InvalidData: (:) [New-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.NewVirtualPortGroup

Get-VirtualPortGroup : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the

command again.

At line:19 char:64

+ ... $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

+                                                                ~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:) [Get-VirtualPortGroup], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVirtualPortGroup

Exception calling "SetEntityPermissions" with "2" argument(s): "

Required parameter entity is missing

while parsing call information for method SetEntityPermissions

at line 1, column 171

while parsing SOAP body

at line 1, column 64

while parsing SOAP envelope

at line 1, column 0

while parsing HTTP request for method setEntityPermissions

on object of type vim.AuthorizationManager

at line 1, column 0"

At line:37 char:5

+     $authMgr.SetEntityPermissions($pgMoRef,@($perm))

+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

0 Kudos
LucD
Leadership
Leadership

No, I mean inserting a simple Write-Host to see which ESXi node is causing the error.

Like this

function New-PGPermission{

    [cmdletbinding()]

    param(

        [string]$VMHost,

        [string]$Portgroup,

        [string]$Principal,

        [string]$Role

    )


    $authMgr = Get-View AuthorizationManager


    $pg = Get-VirtualPortGroup -Standard -VMHost $VMHost -Name $Portgroup

    $esx = Get-VMHost -Name $VMHost

    $pgMoRef = (Get-View -Id $esx.ExtensionData.Network | where{$_.Name -eq $Portgroup}).MoRef

    $perm = New-Object VMware.Vim.Permission

    $perm.Entity = $pgMoRef

    $perm.RoleId = (Get-VIRole -Name $role).ExtensionData.RoleId

    $perm.Principal = $principal

    $perm.Group = $false

    $perm.Propagate = $false


    $authMgr.SetEntityPermissions($pgMoRef,@($perm))

}

$vssName = 'vSwitch0'

$pgName = 'TestPG'

$clusterName = 'cluster'

$principal = 'domain\user'

$roleName = 'Admin'


Get-Cluster -Name $clusterName | Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

    Write-Host "Handling ESXi node $($_.Name)"

    $vss = Get-VirtualSwitch -Name $vssName -VMHost $esx


    # Clean up old portgroup should it exist

    Get-VirtualPortGroup -Name $pgName -VirtualSwitch $vssName -VMHost $esx -ErrorAction SilentlyContinue |

    Remove-VirtualPortGroup -Confirm:$false


    # Create new portgroup

    $pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss


    # Assign permission

    New-PGPermission -VMHost $esx.Name -Portgroup $pg.Name -Principal $principal -Role $roleName

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

I removed -VLanId 2137 in line :

# Create new portgroup

$pg = New-VirtualPortGroup -Name $pgName -VirtualSwitch $vss -VLanId 2137

And done what you said :

ForEach-Object -Process {

Write-Host "Handling ESXi node $($_.Name)"

Then it worked and I got :

Handling ESXi node al-esxi-02.sio.local

Handling ESXi node al-esxi-03.sio.local

Handling ESXi node al-esxi-01.sio.local

0 Kudos
LucD
Leadership
Leadership

Why did you remove the New-VirtualPortgroup line?

Without it, no portgroup will be created.

Try to run this after a stop/start of your PowerShell/PowerCLI session.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
xofox
Contributor
Contributor

I didn't remove thewhole  line, just what I added (-VLanId 2137), to respect the initial script you gave me to run.

So, I disconnected from VIServer, stopped Powershell and then reconnected to VIServer.

I ran the script you sent me with

ForEach-Object -Process {

Write-Host "Handling ESXi node $($_.Name)"

Result :

PS C:\Windows\system32> C:\Users\adminl\Desktop\10032020\NewPGPermission2.ps1

Handling ESXi node al-esxi-02.sio.local

Handling ESXi node al-esxi-03.sio.local

Handling ESXi node al-esxi-01.sio.local

PS C:\Windows\system32>

PG have been created in the 3 esxi without any error message (but still in the network  general folder).

0 Kudos