Solved: Re: Where to list the available extension data for...

lElOUCHE_79 · ‎12-05-2023

To create a user in vCenter via the GUI, it is necessary to add the user and password in the 'Users' section and then associate it with a role.

If it is done on the command line, do I have to provide the information in the console?
Can I do it that way?

$user = Read-Host "Enter the user name (DOMAIN\User or user@domain.com)"

$UserPassword = Read-Host "Enter the user password"

LucD · ‎12-05-2023

I do have a script that creates an SSO user in the default domain.
Then it creates a permission on the vCenter root for that user with a specified Role.

It requires that module VMware.vSphere.SsoAdmin is installed.

The script

#requires -Modules VMware.vSphere.SsoAdmin

$ssoUser = 'administrator'
$ssoDomain = 'vsphere.local'
$ssoPswd = 'VMware1!'
$role = 'MyRole'

$user = Read-Host -Prompt "New user"
$pswd1 = Read-Host -Prompt "Password" -AsSecureString
$pswd2 = Read-Host -Prompt "Confirm password" -AsSecureString

$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
$cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")


if ($cred1.Password -ne $cred2.Password) {
  Write-Host "Passwords do not match"
} else {
  $ssoServer = Connect-SsoAdminServer -Server $global:defaultviserver.name -User "$ssoUser@$ssoDomain" -Password $ssoPswd -SkipCertificateCheck

  if (Get-SsoPersonUser -Name $user -Domain $ssoDomain) {
    Write-Host "User already exists"
  } else {
    $ssoUser = New-SsoPersonUser -UserName $user -Password $cred1.Password -Description "New user created via script"
    $root = Get-Folder -Name 'Datacenters'
    $role = Get-VIRole -Name $role
    $viUser = Get-VIAccount -User $ssoUser.Name -Domain $ssoUser.Domain
    $perm = New-VIPermission -Entity $root -Principal $viUser -Role $role
  }

  Disconnect-SsoAdminServer -Server $ssoServer
}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎12-05-2023

That just reads the user and password.
I would at least add the -AsSecureString switch on the Read-Host for the password.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-05-2023

Yes I forget to Add -AsSecureString

So in that way it's like I made the same thing from GUI, right?

LucD · ‎12-05-2023

No, like I said earlier that just reads the user and password.

You would still need to create the user, eventually the role, and then assign the permission with a Role.
Which GUI screen are you talking about?
What kind of user are you creating? In which domain?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-05-2023

for the domain it's @vsphere.local.

Which GUI screen are you talking about? I mean the below

Screenshot 2023-12-05 221859.png

the role already created and the user will be assigned to that role

LucD · ‎12-05-2023

Where do you assign a Role to that User?
That is done when you set a Permission.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-05-2023

the script is here Remove privileges if it's not included in TXT file

LucD · ‎12-05-2023

I'm totally confused now.
That script, which you never replied to or confirmed it works, just checks/removes/adds privileges to Roles.

What does that script have to do with creating a user and "assigning a role" to that user?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-05-2023

I’m sorry, you’re right, I just corrected my mistake and I indicated that it’s resolved.
The script provided me with the idea to add a user. I had a thought: why not create a user for this role if it's not already present?
I am sorry for forgetting to mention the topic as a solution.

LucD · ‎12-05-2023

Again, you can't assign a Role to a User without creating a Permission.

On which GUI screen can you create a User and assign a Role without creating a Permission?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-05-2023

It explains my problem, it’s my understanding of things.

Permission, do you mean privileges?

LucD · ‎12-05-2023

No, privileges are the "rights" a specific Role has.

A Permission is when you assign a Role to a Principal (a user or group) in a specific location in the vCenter hierarchy.
For a more detailed explanation of the vSphere security concept have a look at Securing vCenter Server using roles, privileges and permissions

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

LucD · ‎12-05-2023

I do have a script that creates an SSO user in the default domain.
Then it creates a permission on the vCenter root for that user with a specified Role.

It requires that module VMware.vSphere.SsoAdmin is installed.

The script

#requires -Modules VMware.vSphere.SsoAdmin

$ssoUser = 'administrator'
$ssoDomain = 'vsphere.local'
$ssoPswd = 'VMware1!'
$role = 'MyRole'

$user = Read-Host -Prompt "New user"
$pswd1 = Read-Host -Prompt "Password" -AsSecureString
$pswd2 = Read-Host -Prompt "Confirm password" -AsSecureString

$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
$cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")


if ($cred1.Password -ne $cred2.Password) {
  Write-Host "Passwords do not match"
} else {
  $ssoServer = Connect-SsoAdminServer -Server $global:defaultviserver.name -User "$ssoUser@$ssoDomain" -Password $ssoPswd -SkipCertificateCheck

  if (Get-SsoPersonUser -Name $user -Domain $ssoDomain) {
    Write-Host "User already exists"
  } else {
    $ssoUser = New-SsoPersonUser -UserName $user -Password $cred1.Password -Description "New user created via script"
    $root = Get-Folder -Name 'Datacenters'
    $role = Get-VIRole -Name $role
    $viUser = Get-VIAccount -User $ssoUser.Name -Domain $ssoUser.Domain
    $perm = New-VIPermission -Entity $root -Principal $viUser -Role $role
  }

  Disconnect-SsoAdminServer -Server $ssoServer
}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

dsherikar · ‎12-07-2023

LucD,

Please help me in finding all the extension properties available for VM or vmhost. like the option under extensiondata.guest and extensiondata.config..I know of only few like guest.toolsrunningstatus, guest.toosversion..

lElOUCHE_79 · ‎12-09-2023

Hi @LucD

Thank you for your help.

would you please help me to understand the 2 below lines?

Not sure what's the reason for cred?

$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
$cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")

LucD · ‎12-09-2023

They are there to be able to check that the passwords you entered are the same.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-09-2023

Thank you very much, then I will change TestUsername & TestDomain with variable 😉

LucD · ‎12-09-2023

I assumed you wanted to use the Read-Host, but yes, you can also store the values in variables.
And then you don't have to do the comparison.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

lElOUCHE_79 · ‎12-10-2023

@LucD
Your help and assistance are always appreciated. Your help and assistance allow me to learn more and more. Thank you.

All

add user in role using PowerCLI