Automation

 View Only
Expand all | Collapse all

add user in role using PowerCLI

  • 1.  add user in role using PowerCLI

    Posted Dec 05, 2023 09:01 PM

    To create a user in vCenter via the GUI, it is necessary to add the user and password in the 'Users' section and then associate it with a role.

    If it is done on the command line, do I have to provide the information in the console?
    Can I do it that way?

    $user = Read-Host "Enter the user name (DOMAIN\User or user@domain.com)"

    $UserPassword = Read-Host "Enter the user password"



  • 2.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:06 PM

    That just reads the user and password.
    I would at least add the -AsSecureString switch on the Read-Host for the password.



  • 3.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:09 PM

    Yes I forget to Add -AsSecureString

    So in that way it's like I made the same thing from GUI, right?



  • 4.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:16 PM

    No, like I said earlier that just reads the user and password.

    You would still need to create the user, eventually the role, and then assign the permission with a Role.
    Which GUI screen are you talking about?
    What kind of user are you creating? In which domain?




  • 5.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:21 PM

    for the domain it's .local.

    Which GUI screen are you talking about? I mean the below 

    Screenshot 2023-12-05 221859.png

     

    the role already created and the user will be assigned to that role



  • 6.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:26 PM

    Where do you assign a Role to that User?
    That is done when you set a Permission.



  • 7.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:32 PM


  • 8.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:38 PM

    I'm totally confused now.
    That script, which you never replied to or confirmed it works, just checks/removes/adds privileges to Roles.

    What does that script have to do with creating a user and "assigning a role" to that user?



  • 9.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:50 PM

    I’m sorry, you’re right, I just corrected my mistake and I indicated that it’s resolved.
    The script provided me with the idea to add a user. I had a thought: why not create a user for this role if it's not already present?
    I am sorry for forgetting to mention the topic as a solution.



  • 10.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:53 PM

    Again, you can't assign a Role to a User without creating a Permission.

    On which GUI screen can you create a User and assign a Role without creating a Permission?



  • 11.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 09:58 PM

    It explains my problem, it’s my understanding of things.

    Permission, do you mean privileges?



  • 12.  RE: add user in role using PowerCLI

    Posted Dec 05, 2023 10:21 PM

    No, privileges are the "rights" a specific Role has.

    A Permission is when you assign a Role to a Principal (a user or group) in a specific location in the vCenter hierarchy.
    For a more detailed explanation of the vSphere security concept have a look at Securing vCenter Server using roles, privileges and permissions



  • 13.  RE: add user in role using PowerCLI
    Best Answer

    Posted Dec 05, 2023 10:27 PM

    I do have a script that creates an SSO user in the default domain.
    Then it creates a permission on the vCenter root for that user with a specified Role.

    It requires that module VMware.vSphere.SsoAdmin is installed.

    The script

    #requires -Modules VMware.vSphere.SsoAdmin
    
    $ssoUser = 'administrator'
    $ssoDomain = 'vsphere.local'
    $ssoPswd = 'VMware1!'
    $role = 'MyRole'
    
    $user = Read-Host -Prompt "New user"
    $pswd1 = Read-Host -Prompt "Password" -AsSecureString
    $pswd2 = Read-Host -Prompt "Confirm password" -AsSecureString
    
    $cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
    $cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")
    
    
    if ($cred1.Password -ne $cred2.Password) {
      Write-Host "Passwords do not match"
    } else {
      $ssoServer = Connect-SsoAdminServer -Server $global:defaultviserver.name -User "$ssoUser@$ssoDomain" -Password $ssoPswd -SkipCertificateCheck
    
      if (Get-SsoPersonUser -Name $user -Domain $ssoDomain) {
        Write-Host "User already exists"
      } else {
        $ssoUser = New-SsoPersonUser -UserName $user -Password $cred1.Password -Description "New user created via script"
        $root = Get-Folder -Name 'Datacenters'
        $role = Get-VIRole -Name $role
        $viUser = Get-VIAccount -User $ssoUser.Name -Domain $ssoUser.Domain
        $perm = New-VIPermission -Entity $root -Principal $viUser -Role $role
      }
    
      Disconnect-SsoAdminServer -Server $ssoServer
    }
    

     



  • 14.  RE: add user in role using PowerCLI

    Posted Dec 07, 2023 02:19 PM

    LucD,

     

    Please help me in finding all the extension properties available for VM or vmhost. like the option under extensiondata.guest and extensiondata.config..I know of only few like guest.toolsrunningstatus, guest.toosversion..



  • 15.  RE: add user in role using PowerCLI

    Posted Dec 09, 2023 12:52 PM

    Hi  

    Thank you for your help.

    would you please help me to understand the 2 below lines?

    Not sure what's the reason for cred?

     

    $cred1 = New-Object System.Net.NetworkCredential("TestUsername", $pswd1, "TestDomain")
    $cred2 = New-Object System.Net.NetworkCredential("TestUsername", $pswd2, "TestDomain")

     



  • 16.  RE: add user in role using PowerCLI

    Posted Dec 09, 2023 12:58 PM

    They are there to be able to check that the passwords you entered are the same.



  • 17.  RE: add user in role using PowerCLI

    Posted Dec 09, 2023 01:02 PM

    Thank you very much, then I will change TestUsername &  TestDomain with variable  

     



  • 18.  RE: add user in role using PowerCLI

    Posted Dec 09, 2023 01:06 PM

    I assumed you wanted to use the Read-Host, but yes, you can also store the values in variables.
    And then you don't have to do the comparison.



  • 19.  RE: add user in role using PowerCLI

    Posted Dec 10, 2023 12:39 PM

     
    Your help and assistance are always appreciated. Your help and assistance allow me to learn more and more. Thank you.