To create a user in vCenter via the GUI, it is necessary to add the user and password in the 'Users' section and then associate it with a role.
If it is done on the command line, do I have to provide the information in the console?
Can I do it that way?
$user = Read-Host "Enter the user name (DOMAIN\User or user@domain.com)"
$UserPassword = Read-Host "Enter the user password"
I do have a script that creates an SSO user in the default domain.
Then it creates a permission on the vCenter root for that user with a specified Role.
It requires that module VMware.vSphere.SsoAdmin is installed.
The script
#requires -Modules VMware.vSphere.SsoAdmin
$ssoUser = 'administrator'
$ssoDomain = 'vsphere.local'
$ssoPswd = 'VMware1!'
$role = 'MyRole'
$user = Read-Host -Prompt "New user"
$pswd1 = Read-Host -Prompt "Password" -AsSecureString
$pswd2 = Read-Host -Prompt "Confirm password" -AsSecureString
$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
$cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")
if ($cred1.Password -ne $cred2.Password) {
Write-Host "Passwords do not match"
} else {
$ssoServer = Connect-SsoAdminServer -Server $global:defaultviserver.name -User "$ssoUser@$ssoDomain" -Password $ssoPswd -SkipCertificateCheck
if (Get-SsoPersonUser -Name $user -Domain $ssoDomain) {
Write-Host "User already exists"
} else {
$ssoUser = New-SsoPersonUser -UserName $user -Password $cred1.Password -Description "New user created via script"
$root = Get-Folder -Name 'Datacenters'
$role = Get-VIRole -Name $role
$viUser = Get-VIAccount -User $ssoUser.Name -Domain $ssoUser.Domain
$perm = New-VIPermission -Entity $root -Principal $viUser -Role $role
}
Disconnect-SsoAdminServer -Server $ssoServer
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That just reads the user and password.
I would at least add the -AsSecureString switch on the Read-Host for the password.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes I forget to Add -AsSecureString
So in that way it's like I made the same thing from GUI, right?
No, like I said earlier that just reads the user and password.
You would still need to create the user, eventually the role, and then assign the permission with a Role.
Which GUI screen are you talking about?
What kind of user are you creating? In which domain?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
for the domain it's @vsphere.local.
Which GUI screen are you talking about? I mean the below
the role already created and the user will be assigned to that role
Where do you assign a Role to that User?
That is done when you set a Permission.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
the script is here Remove privileges if it's not included in TXT file
I'm totally confused now.
That script, which you never replied to or confirmed it works, just checks/removes/adds privileges to Roles.
What does that script have to do with creating a user and "assigning a role" to that user?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I’m sorry, you’re right, I just corrected my mistake and I indicated that it’s resolved.
The script provided me with the idea to add a user. I had a thought: why not create a user for this role if it's not already present?
I am sorry for forgetting to mention the topic as a solution.
Again, you can't assign a Role to a User without creating a Permission.
On which GUI screen can you create a User and assign a Role without creating a Permission?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
It explains my problem, it’s my understanding of things.
Permission, do you mean privileges?
No, privileges are the "rights" a specific Role has.
A Permission is when you assign a Role to a Principal (a user or group) in a specific location in the vCenter hierarchy.
For a more detailed explanation of the vSphere security concept have a look at Securing vCenter Server using roles, privileges and permissions
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I do have a script that creates an SSO user in the default domain.
Then it creates a permission on the vCenter root for that user with a specified Role.
It requires that module VMware.vSphere.SsoAdmin is installed.
The script
#requires -Modules VMware.vSphere.SsoAdmin
$ssoUser = 'administrator'
$ssoDomain = 'vsphere.local'
$ssoPswd = 'VMware1!'
$role = 'MyRole'
$user = Read-Host -Prompt "New user"
$pswd1 = Read-Host -Prompt "Password" -AsSecureString
$pswd2 = Read-Host -Prompt "Confirm password" -AsSecureString
$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
$cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")
if ($cred1.Password -ne $cred2.Password) {
Write-Host "Passwords do not match"
} else {
$ssoServer = Connect-SsoAdminServer -Server $global:defaultviserver.name -User "$ssoUser@$ssoDomain" -Password $ssoPswd -SkipCertificateCheck
if (Get-SsoPersonUser -Name $user -Domain $ssoDomain) {
Write-Host "User already exists"
} else {
$ssoUser = New-SsoPersonUser -UserName $user -Password $cred1.Password -Description "New user created via script"
$root = Get-Folder -Name 'Datacenters'
$role = Get-VIRole -Name $role
$viUser = Get-VIAccount -User $ssoUser.Name -Domain $ssoUser.Domain
$perm = New-VIPermission -Entity $root -Principal $viUser -Role $role
}
Disconnect-SsoAdminServer -Server $ssoServer
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD,
Please help me in finding all the extension properties available for VM or vmhost. like the option under extensiondata.guest and extensiondata.config..I know of only few like guest.toolsrunningstatus, guest.toosversion..
Hi @LucD
Thank you for your help.
would you please help me to understand the 2 below lines?
Not sure what's the reason for cred?
$cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain") $cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")
They are there to be able to check that the passwords you entered are the same.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you very much, then I will change TestUsername & TestDomain with variable 😉
I assumed you wanted to use the Read-Host, but yes, you can also store the values in variables.
And then you don't have to do the comparison.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
@LucD
Your help and assistance are always appreciated. Your help and assistance allow me to learn more and more. Thank you.