PowerCLI

Hi all,

I want to add an AD user to an ESXi host using powerCLI. The process works fine through ESXI's HTML UI, but I need a PowerCLI command.

So if I go to the Actions->Permissions tab on the ESXi UI, I can see both local and added AD users.

However, through PowerCLI, you only see local users even during the query:

PS C:\Windows\system32> Get-VMHostAccount

We have already found how to add a local user and it's works:

PS C:\Windows\system32> New-VMHostAccount -Id test1 -Password XXX

PS C:\Windows\system32> New-VIPermission -Entity (Get-Folder root) -Principal test1 -Role Admin

But when we want to add AD user, it just doesn't work with any command. Does anyone have a command to add an AD user?

Additional informations:

- ESXi 8.0U1

- The ESXi host is managed by a vCenter Server.

- The ESXi host is joined to the domain where from we would like to assign users for the host.

Thank you for your help!

Mark

you can use New-VIPermission cmdlet 

New-VIPermission -Entity <Your-Entity> -Principal "DOMAIN\username" -Role <Role-Name>

for more details 

https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.core/commands/new-vipermission/#Default

https://blogs.vmware.com/PowerCLI/2013/04/joining-esxi-hosts-to-a-domain-and-granting-permissions-with-powercli.html

Hi,

Thank you for your reply!

I read the blog that you linked, and the commands doesn't work:

PS C:\Windows\system32> Get-VIAccount -Domain "YY" -User -Id "ZZ"
Get-VIAccount : 09/01/2024 13:36:13 Get-VIAccount VIAccount with id 'ZZ' was not found using the specified
filter(s).
At line:1 char:1
+ Get-VIAccount -Domain "YY" -User -Id "ZZ"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-VIAccount], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Permis
sionManagement.GetVIAccount

PS C:\Windows\system32> New-VIPermission -Entity XX -Principal "YY\ZZ" -Role Admin
New-VIPermission : 09/01/2024 13:10:02 New-VIPermission A general system error occurred: Error accessing directory: Can't set LDAP options.
At line:1 char:1
+ New-VIPermission -Entity XX -Principal "YY\ZZ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-VIPermission], SystemError
+ FullyQualifiedErrorId : Client20_VmHostServiceImpl_RetrieveUserGroups_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.PermissionManagement.NewVIPermission

We tested it in 3 different vSphere environments, 2 of which are connected to the same AD, and in the case of the third one, even the AD is completely different. The error message is the same everywhere.

Do you have any ideas?

Regards,

Mark

there may be additional controls like 

• DNS servers configured for the host can resolve the host names for the Active Directory controllers
• Synchronize the time between your ESXi host and the directory service system

check if your systems fully joined to the domain 

Get-VMHostAuthentication -VMHost <VMHost> | Set-VMHostAuthentication -Domain <domain fullname> -User <domain user name> -Password <password> -JoinDomain -Confirm:$false

execute 

$viAccount = Get-VIAccount -Domain <domain alias> -User -Id <user name>

to understand you are fully sync with Active directory or not 

if yes you can ise 

$viAccount = Get-VIAccount -Domain <domain alias> -User -Id <user name>
$viRole = Get-VIRole -Name <role name>
New-VIPermission -Principal $viAccount -Role $viRole -Entity <VMHost>