Automation

 View Only
  • 1.  How to retrieve group membership from PowerCLI?

    Posted Apr 17, 2014 06:40 PM

    It seems like a pretty simple thing to look for, I just want an export saying Group A has these members, Group B has these members, etc.

    I haven't been able to figure it out, but I am just starting out with PowerCLI.

    I can get a list of all users or all groups easily enough with Get-VIAccount, but I don't know how to view the relationship between them.

    (edit) Just to clarify, this is without using any AD or LDAP. The local account database for Vcenter.



  • 2.  RE: How to retrieve group membership from PowerCLI?

    Posted Apr 17, 2014 09:33 PM

    Are you referring to the local groups on the vCenter server ?



  • 3.  RE: How to retrieve group membership from PowerCLI?

    Posted Apr 22, 2014 03:04 PM

    Yes, the local groups on the vCenter.



  • 4.  RE: How to retrieve group membership from PowerCLI?

    Posted Dec 28, 2018 04:38 PM

    I, too, have come to a dead end in my search for such a solution. Have you found a solution?

    I want to get a list of al the members of the various vsphere.local groups using PowerCLI.

    I can get the groups, but cannot figure out how to get the members.

    get-viaccount -Group  -domain vsphere.local | ft -a

    Help...!



  • 5.  RE: How to retrieve group membership from PowerCLI?

    Posted Dec 28, 2018 05:23 PM

    No public API for SSO I'm afraid, but you can call the dir-cli command via a SSH session to the VCSA.
    You will need to have the Posh-Ssh module installed, and SSH on your VCSA needs to be enabled.

    You can do something like this

    #requires -Modules posh-ssh

    $user = 'root'

    $pswd = 'VMware1!'

    $ssoDomain = 'vsphere.local'

    $vcsaName = ([uri]$global:DefaultVIServer.ServiceUri).Host

    $pswdSec = ConvertTo-SecureString -String $pswd -AsPlainText -Force

    $cred = New-Object System.Management.Automation.PSCredential($User,$pswdSec)

    $cmd = '/usr/lib/vmware-vmafd/bin/dir-cli group list --name $groupName --password $pswd'

    $ssh = New-SSHSession -ComputerName $vcsaName -Credential $cred -AcceptKey -KeepAliveInterval 5

    Get-VIAccount -Group -Domain $ssoDomain |

    ForEach-Object -Process {

        $groupName = $_.Id

        $groupCmd = $ExecutionContext.InvokeCommand.ExpandString($cmd)

        $out = Invoke-SSHCommand -SessionId $ssh.SessionId -Command $groupCmd -TimeOut 30

        $out.Output.Split("`r") |

        Select @{N='Group';E={$groupName}},

            @{N='User';E={$_.Split(',')[0] -replace 'CN=',''}}

    }

    Remove-SSHSession -SessionId $ssh.SessionId | Out-Null



  • 6.  RE: How to retrieve group membership from PowerCLI?

    Posted Feb 21, 2019 03:52 PM

    Hi Luc

    With the current PowerCLI version, is it possible now?

    Unfortunatelly I'm running vSphere 6.0 with Windows vCenter Server...



  • 7.  RE: How to retrieve group membership from PowerCLI?

    Posted Feb 21, 2019 05:25 PM

    I'm afraid not.



  • 8.  RE: How to retrieve group membership from PowerCLI?

    Posted Feb 22, 2019 08:40 AM

    VMware has to work on it ;-)
    Than you



  • 9.  RE: How to retrieve group membership from PowerCLI?

    Posted Feb 22, 2019 10:07 AM

    The basic issue is that there is no public API.



  • 10.  RE: How to retrieve group membership from PowerCLI?

    Posted May 10, 2019 12:35 AM

    Is there anyway to remove stale AD users from a local group?  Long story short I had to rejoin an appliance to AD and discovered this...

    root@server [ /opt/likewise/bin ]# /usr/lib/vmware-vmafd/bin/dir-cli group list --name 'Administrators'

    Enter password for administrator@vsphere.local:

    cn=Administrator,cn=Users,dc=vsphere,dc=local

    CN=machine-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local

    CN=vsphere-webclient-eff691c0-6076-430f-9767-a187a117e387,CN=ServicePrincipals,DC=vsphere,DC=local

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-94424866

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-1094482

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-5099061

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-91825835

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-26371790

    externalObjectId=S-1-5-21-1271409858-1095883707-2794662393-556046



  • 11.  RE: How to retrieve group membership from PowerCLI?

    Posted May 10, 2019 06:27 AM

    I'm afraid not (afaik).
    The dir-cli command only seems to allow to add users to a group.



  • 12.  RE: How to retrieve group membership from PowerCLI?

    Posted May 10, 2019 11:55 AM

    I have a date with support today when I get onsite so I will get to find out a method today.  Hope all with well Luc!

    Cheers!



  • 13.  RE: How to retrieve group membership from PowerCLI?

    Posted Dec 28, 2018 04:38 PM

    I, too, have come to a dead end in my search for such a solution. Have you found a solution?

    I want to get a list of al the members of the various vsphere.local groups using PowerCLI.

    I can get the groups, but cannot figure out how to get the members.

    get-viaccount -Group  -domain vsphere.local | ft -a

    Help...!