PowerCLI

 View Only

  • 1.  PowerCLI - login with local vCenter account?

    Posted Nov 02, 2021 04:35 PM

    Hi,

    I want to be able to login to vCenter via Power.CLI and shut down VMs, even if no DC is available.

    So I created a local user named scriptaccess on VMware vCenter Server 7.0.3.00100.

    Command> localaccounts.user.list
    Config:

    ....
    4:
    Username: scriptaccess
    Role: admin
    Fullname: scriptaccess
    Status: enabled
    Passwordstatus: valid
    Email: ''

    I tried operator and admin role for this local user, but I was not able to connect to vCenter:

    X:> Connect-VIServer -Server vCenter.example.com -user scriptaccess

    Connect-VIServer Permission to perform this operation was denied. Required
    privilege 'System.View' on managed object with id 'Folder-group-d1'.
    In Zeile:1 Zeichen:1
    + Connect-VIServer -Server vCenter.example.com -user scriptaccess
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Connect-VIServer], NoPermission
    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_SoapException,VMware.VimAutomation.ViCore.Cmd
    lets.Commands.ConnectVIServer


    I am wondering, that an operator or admin role does not have the 'System.View' privilege.

    Does someone know, how to give that privilege to the new created local vCenter user?




  • 2.  RE: PowerCLI - login with local vCenter account?

    Posted Nov 02, 2021 05:35 PM

    Whats your default authentication source?  vsphere.local or an AD domain? If its AD, you will need to use a fully qualified user account eg. scriptaccess@vsphere.local otherwise it will be attempting to use scriptaccess@ADdomainname.



  • 3.  RE: PowerCLI - login with local vCenter account?

    Posted Nov 02, 2021 05:40 PM

    I want to use both, Powershell login with AD users for normal work (this works already) and
    Powershell login with a local vCenter user in case, DCs is not reachable (downtime, desaster, etc).
    I will try login with scriptaccess@vsphere.local , tomorrow.




  • 4.  RE: PowerCLI - login with local vCenter account?
    Best Answer

    Posted Nov 03, 2021 09:10 AM

    I found the solution, I just had to wait a few minutes after creating the user account in shell and adding the account to vCenter.
    It seems to take a while until login via PowerCLI works.

    For local accounts I have to use this format (just the username)

    PS X:> Connect-VIServer -Server 192.168.XXX -User scriptaccess

    Name Port User
    ---- ---- ----
    192.168.XXX 443 scriptaccess

    username@vsphere.local didn't work.

     

    For AD accounts I have to use this format (domain\username or user@domain.tld)

    PS X:> Connect-VIServer -Server 192.168.XXX -User domain\user

    Name Port User
    ---- ---- ----
    192.168.XXX 443 DOMAIN\user



  • 5.  RE: PowerCLI - login with local vCenter account?

    Posted Nov 03, 2021 09:06 AM

    You can use the Get-VIPrivilege cmdlet to check which privileges a specific role has.
    The built-in roles normally have that System.View privilege.

    Since the error mentions Folder-group-d1 , which is the hidden Datacenters folder, it looks as if there is a missing permission on the vCenter root for that specific user.

    To run through the vCenter hierarchy your account needs at lest System.View, System.Read, and System.Anonymous on the vCenter root. These are in fact the (only) privileges in the Read Only role.