PowerCLI

 View Only

  • 1.  Disable Active Directory authentification on ESXi & vCenter

    Posted Apr 24, 2020 08:05 AM

    Maybe this is a strange question but I would like to know if there's a way to disable Active Directory authentification on ESXi & vCenter



  • 2.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Apr 24, 2020 08:27 AM

    For the ESXi nodes, the Set-VMHostAuthentication cmdlet also has a LeaveDomain switch.

    For the VCSA you will have to use the domainjoin-cli command via an SSH session.

    /opt/likewise/bin/domainjoin-cli leave [domain] [user name] [password]



  • 3.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Apr 24, 2020 09:40 AM

    Thanks should be fine unfortunately in my case I have a lot a ESXi nodes so I guess a powerCLI script can help on this, I'm right?



  • 4.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Apr 24, 2020 09:51 AM

    Yes, its the same commands, just run them in a loop over all target ESXi nodes.



  • 5.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 11:43 AM

    In fact, vCenter and ESXi are not joined to AD and when we run audit this parameter appear as non compliant :

    Status of the 'Active Directory for local user authentication' requirement on the ESXi host

    and to remediate I should use the below command

    Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication Domain [domain name] -User [username] -Password [password] -JoinDomain

    As we aren't using the AD (we use another tools that allow us to connect to ESXi & vCenter called CyberArk) we need help to disabled this is that possible?



  • 6.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 12:00 PM

    I'm afraid you lost me.

    So your VCSA nor ESXi are joined to an AD domain, but AD authentication is Identity Source type under SSO?

    What do you see in the web client under Administration-Configuration-Identity Sources?

    Is AD in that list?



  • 7.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 12:07 PM

    each time I have a discussion with you, you help me a lot :smileyhappy:

    sorry to mislead you

    I checked the identity source and the Name is set to domain :smileysad:

    can I remove it?

    is there any impact?



  • 8.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 01:02 PM

    There is potential impact when you have permissions assigned to AD users/groups as Principal.
    Another impact might be if you have used AD users/groups in other non-AD groups.

    You can collect all Permissions and check if there is any AD principal involved.

    The bad news is that there are currently no cmdlets, nor is there an API, to interact with SSO.



  • 9.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 01:06 PM

    So if I have understood correctly, first step is that I need to collect all Permissions from all vCenter, then I can decide to remove the source entity or not, right?

    by the way is there a script that can collect all permissions?



  • 10.  RE: Disable Active Directory authentification on ESXi & vCenter

    Posted Sep 08, 2020 01:12 PM

    Just do a Get-VIPermission