PowerCLI

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph         

When you run the cmdlet via the prompt, are you connected to the ESXi node or a vCenter?
Are there multiple connections open? Check what is in $global:defaultVIServers.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph         

$global:defaultVIServers:

It shows me my 4 server, where I tried to add the user.

PS C:\Powercli> $global:defaultVIServers

Name                           Port  User                          
----                           ----  ----                          
server01.test.local... 443   LAB\admin01                
server02.test.local... 443   LAB\admin01   
server03.test.local... 443   LAB\admin01   
server04.test.local... 443   LAB\admin01   

I first connect to the VCenter to get the hosts.

###############################################
              # connect to each vCenter/disconnect when done
              ###############################################
              foreach ($vc in $vcenter_list) {
                     connect-viserver -Server $vc -Credential $vccreds -WarningAction SilentlyContinue -ErrorAction Stop | out-null
                     write-host -ForegroundColor Green "Adding AD group read-only to ($vc) `($vccount of $($vcenter_list.count)`)"
                     $vmhosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Connected" -or $_.ConnectionState -eq "Maintenance" }
                     $dchosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Disconnected" -or $_.ConnectionState -eq "NotResponding " }
                     $dclist += $dchosts
                     disconnect-viserver -confirm:$false *

Afterwards I connect inside the loop to the hosts.

When you run the cmdlet via the prompt, are you connected to the ESXi node or a vCenter?
Are there multiple connections open? Check what is in $global:defaultVIServers.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph         

If you have multiple connections open it would be best to use the Server parameter on the cmdlets.
That way you can tell explicitly where the cmdlet should execute

Like

New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  -Server $vmhost.name

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$global:defaultVIServers:

It shows me my 4 server, where I tried to add the user.

PS C:\Powercli> $global:defaultVIServers

Name                           Port  User                          
----                           ----  ----                          
server01.test.local... 443   LAB\admin01                
server02.test.local... 443   LAB\admin01   
server03.test.local... 443   LAB\admin01   
server04.test.local... 443   LAB\admin01   

I first connect to the VCenter to get the hosts.

###############################################
              # connect to each vCenter/disconnect when done
              ###############################################
              foreach ($vc in $vcenter_list) {
                     connect-viserver -Server $vc -Credential $vccreds -WarningAction SilentlyContinue -ErrorAction Stop | out-null
                     write-host -ForegroundColor Green "Adding AD group read-only to ($vc) `($vccount of $($vcenter_list.count)`)"
                     $vmhosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Connected" -or $_.ConnectionState -eq "Maintenance" }
                     $dchosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Disconnected" -or $_.ConnectionState -eq "NotResponding " }
                     $dclist += $dchosts
                     disconnect-viserver -confirm:$false *

Afterwards I connect inside the loop to the hosts.

When you run the cmdlet via the prompt, are you connected to the ESXi node or a vCenter?
Are there multiple connections open? Check what is in $global:defaultVIServers.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph         

Hi Luc,

thanks, will add it

Best

Christoph

If you have multiple connections open it would be best to use the Server parameter on the cmdlets.
That way you can tell explicitly where the cmdlet should execute

Like

New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  -Server $vmhost.name

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$global:defaultVIServers:

It shows me my 4 server, where I tried to add the user.

PS C:\Powercli> $global:defaultVIServers

Name                           Port  User                          
----                           ----  ----                          
server01.test.local... 443   LAB\admin01                
server02.test.local... 443   LAB\admin01   
server03.test.local... 443   LAB\admin01   
server04.test.local... 443   LAB\admin01   

I first connect to the VCenter to get the hosts.

###############################################
              # connect to each vCenter/disconnect when done
              ###############################################
              foreach ($vc in $vcenter_list) {
                     connect-viserver -Server $vc -Credential $vccreds -WarningAction SilentlyContinue -ErrorAction Stop | out-null
                     write-host -ForegroundColor Green "Adding AD group read-only to ($vc) `($vccount of $($vcenter_list.count)`)"
                     $vmhosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Connected" -or $_.ConnectionState -eq "Maintenance" }
                     $dchosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Disconnected" -or $_.ConnectionState -eq "NotResponding " }
                     $dclist += $dchosts
                     disconnect-viserver -confirm:$false *

Afterwards I connect inside the loop to the hosts.

When you run the cmdlet via the prompt, are you connected to the ESXi node or a vCenter?
Are there multiple connections open? Check what is in $global:defaultVIServers.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph         

I never had good results with the 'New-VMHostAccount'. My script still uses the old school ESXICLI commands. One thing to note is that you need to have Lockdown mode disabled for a lot of local user account manipulation. 

My code:

Function Lockdownchange ( $value ) {
# Options are 'lockdowndisabled' and 'lockdownNormal'
# Change lockdown
Write-host -ForegroundColor Green "Lockdown mode set to: $value"
    $level = $value
    $vmView = Get-VMHost $esx | Get-View
    $lockdown = Get-View $vmView.ConfigManager.HostAccessManager
    $lockdown.ChangeLockdownMode($level)
}

$localuser = "local_admin"
$vmhosts = Get-VMHost | where {$_.ConnectionState -eq "Connected"}
ForEach ($esx in $VMHosts) {
    Write-Host "`n$esx"
    Lockdownchange 'lockdowndisabled'
    # Set Permission
    $esxcli = Get-EsxCli -VMHost $esx -V2 
    $esxcliArgs = $esxcli.system.permission.set.CreateArgs()
    $esxcliArgs.id = $localuser
    $esxcliArgs.role = 'Admin'
    $esxcli.system.permission.set.Invoke($esxcliArgs)
    Lockdownchange 'lockdownNormal'
}

YMMV

Hi Luc,

thanks, will add it

Best

Christoph

If you have multiple connections open it would be best to use the Server parameter on the cmdlets.
That way you can tell explicitly where the cmdlet should execute

Like

New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  -Server $vmhost.name

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

$global:defaultVIServers:

It shows me my 4 server, where I tried to add the user.

PS C:\Powercli> $global:defaultVIServers

Name                           Port  User                          
----                           ----  ----                          
server01.test.local... 443   LAB\admin01                
server02.test.local... 443   LAB\admin01   
server03.test.local... 443   LAB\admin01   
server04.test.local... 443   LAB\admin01   

I first connect to the VCenter to get the hosts.

###############################################
              # connect to each vCenter/disconnect when done
              ###############################################
              foreach ($vc in $vcenter_list) {
                     connect-viserver -Server $vc -Credential $vccreds -WarningAction SilentlyContinue -ErrorAction Stop | out-null
                     write-host -ForegroundColor Green "Adding AD group read-only to ($vc) `($vccount of $($vcenter_list.count)`)"
                     $vmhosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Connected" -or $_.ConnectionState -eq "Maintenance" }
                     $dchosts = get-vmhost | Where-Object { $_.ConnectionState -eq "Disconnected" -or $_.ConnectionState -eq "NotResponding " }
                     $dclist += $dchosts
                     disconnect-viserver -confirm:$false *

Afterwards I connect inside the loop to the hosts.

When you run the cmdlet via the prompt, are you connected to the ESXi node or a vCenter?
Are there multiple connections open? Check what is in $global:defaultVIServers.

Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Hi together,
I try to add a local admin user to ESX hosts in a VCenter.
Adding the user works well. But, adding it to the admin group failed.

Adding it in the cli with IP of the host as server it works:
$rootFolder = Get-Folder -NoRecursion
New-VIPermission -server 192.168.2.122 -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false

With the script not.

Script snippet:

###############################################
# Update password on each host
###############################################
                    
foreach ($vmhost in $vmhosts) {
                            

        Connect-VIServer -Server $vmhost.name -Credential $vccreds
        write-host $vmhost.name
       # new user
                           
       New-VMHostAccount -Id admin2 -Password $NewPassword  -Description "2. admin account"  
       $rootFolder = Get-Folder -NoRecursion

       New-VIPermission -Entity $rootFolder -Principal admin2 -Role Admin -Propagate $true -Confirm:$false
                            
       Disconnect-VIServer -Server $vmhost -Confirm:$false

       $vmhostcount++

       }
                    
   
Thanks in advance for any ideas.

Kind regards,

Christoph