Automation

 View Only
  • 1.  Change ESX Admins group permissions on one or more hosts

    Posted 14 days ago

    I n light of the recent vulnerability listed here"

    Secure Default Settings for ESXi Active Directory integration

    I've written the code to cycle thru all the hosts in the connected vCenter and modify the Advanced Settings, however I need to write code to remove the ESX Admins group's Admin permissions on each host. Can someone setter me in the write direction on how to do this please?



  • 2.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 14 days ago

    If mean the command

    esxcli system permission unset -i 'DOMAIN\esx^admins' --group


    you can do that command via the methods on the object returned by the Get-EsxCli cmdlet



    ------------------------------


    Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


    ------------------------------



  • 3.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 14 days ago

    I agree, I need to use Get-ESXCLI, but I'm not sure how to use it to remove the domain account "ESX Admins" from the Administrator role on the ESXi server.




  • 4.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 14 days ago

    I don't think this is possible unless I SSH to the host via PowerCLI.




  • 5.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 13 days ago

    With Get-Esxcli you don't need to SSH to the ESXi node.

    "I'm not sure how to use it to remove the domain account ..."
    Isn't the esxcli command that I posted earlier doing that?



    ------------------------------


    Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


    ------------------------------



  • 6.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 13 days ago
    Edited by JDMils_Interact 13 days ago

    Hey LucD, the command you mentioned is an ESXCLI command which is run on the ESXi host's command line CLI. I actually worked it out after painstakingly analysing any information I can find, so now I can use PowerCLI to remove the domain group "ESX Admins" from the Administrator role on the ESXi host. Here's how i managed it:

    param(
        [Parameter(Mandatory=$True)]
        $VMHost = ""
    )
    
    $esxcli = Get-EsxCli -VMHost $VMHost -V2
    $ESXCLI_Args = $esxcli.system.permission.unset.CreateArgs()
    $ESXCLI_Args.group = $true
    $ESXCLI_Args.id = "myDomain\ESX Admins"
    $esxcli.system.permission.unset.invoke($ESXCLI_Args)




  • 7.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 13 days ago

    Which is what I meant 



    ------------------------------


    Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


    ------------------------------



  • 8.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 13 days ago

    You should be able to do it via PowerShell, i modifie this permissions via command, thats my command and i go true all host in vCenter

    Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "DOMAIN\ESXAdmins"
    I`m preaty sure tha you can leave the value empty and it will clear the group. 



  • 9.  RE: Change ESX Admins group permissions on one or more hosts

    Posted 13 days ago

    That will not work when the ESXi node is already joined to the domain afaik.



    ------------------------------


    Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference


    ------------------------------