One comment PowerCLI, The Tech Center, vSphere

Provision a limited access Domain user on an ESXi

Posted by

Introduction:

While working with ESXi 6.5 & 6.7 I noticed that there is no UI option available to provision  a domain user. The PowerCLI cmdlet New-VIPermission also fails to query and add permission for domain user.

The only option to achieve this is using SSH session to the host. The command that can be used on the SSH console to achieve this is

Syntax: 

vim-cmd vimsvc/auth/entity_permission_add <Folder> <user/group>  <isGroup> <Role> <propagate>

Sample command:

vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root '[email protected]' false 'ManageUsers' yes

This can be a night mare for a large-scale setup.  This blog presents a PowerCLI based solution to this issue.

Dependencies:

  • The solution uses plink.exe. Hence, make sure to install Putty before using the code presented
  • Working PoweCLI setup. You may refer here for details
  • The ESXi host SSH keys must be part of Putty known hosts  prior to executing the code presented

Code:

Start-Transcript -Append -Path "$env:USERPROFILE\Documents\creatuser.log"
$vCenterIP = Read-Host "Enter vCenter IP or Name where the operation needs to be executed"
$myDatacenter = Read-Host "Enter Datacenter Name where the operation needs to be executed"
$Cluster = Read-Host "Enter Cluster Name where the operation needs to be executed"
$userName = Read-Host "Enter the domain user name that you want to be added to the host[[email protected]]"
$RoleName = Read-Host "Enter the Role that you want to provision for $userName"
$MyPrivilege = Read-Host "Enter the Privilege you would to assign to $RoleName"
#update this variable to the plink location in case the putty is installed on a non-default location
$PlinkPath = '"C:\Program Files\PuTTY\plink.exe"'
Connect-VIServer $vCenterIP
$Myhosts = Get-Datacenter $myDatacenter | Get-Cluster $Cluster | Get-VMHost
#Preparing password file
echo "HostName,UserName,Password" | Out-File -FilePath $env:USERPROFILE\Documents\Passwordfile.csv
foreach ($Myhost in $Myhosts)
{
echo "$Myhost," |Out-File -Append -FilePath $env:USERPROFILE\Documents\Passwordfile.csv
 }
Disconnect-VIServer -Server $vCenterIP -Confirm:$false
#Validation Prompt
$Execute = "No"
While ($Execute -ne "yes")
{
Write-Host -ForegroundColor Red "Update the password file at $env:USERPROFILE\Documents\Passwordfile.csv"
$Execute=Read-Host "Enter yes to continue excution, make sure that password file is updated"
}
$Myhosts = Import-Csv $env:USERPROFILE\Documents\Passwordfile.csv
foreach ($Myhost in $Myhosts)
{
Connect-VIServer -Server $Myhost.HostName -User $Myhost.UserName -Password $Myhost.Password
$Privilege = Get-VIPrivilege -Name $MyPrivilege -Server $Myhost.HostName
New-VIRole -Name $RoleName -Privilege $Privilege -Server $Myhost.HostName
$sshService = Get-VmHostService -VMHost $Myhost.HostName | Where { $_.Key -eq “TSM-SSH”}
Start-VMHostService -HostService $sshService -Confirm:$false
$pass = $Myhost.Password
$usr = $Myhost.UserName
$hIP = $Myhost.HostName
invoke-expression "cmd /c echo y | $PlinkPath -ssh -batch -pw $pass -l $usr $hIP vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root $userName false $RoleName yes"
Stop-VMHostService -HostService $sshService -Confirm:$false
}
Stop-Transcript

One comment

  1. plink commands fails with rsa thumbprint.
    If we remove the -batch in the command we can by pass the verification of thumbprint.

Comments are closed.