PowerCLI

What I am looking for is a PowerCLI script to create a role within vCenter. I found this post, and I am wondering if it can be adapted to my needs. What I need specifically is a script to create a role with the following set of privileges:

System.Anonymous

System.View

System.Read

Global.SetCustomField

Datastore.AllocateSpace

Network.Assign

VirtualMachine.Inventory.Create

VirtualMachine.Interact.PowerOn

VirtualMachine.Interact.DeviceConnection

VirtualMachine.Interact.SetCDMedia

VirtualMachine.Interact.GuestControl

VirtualMachine.Config.AddNewDisk

VirtualMachine.Config.CPUCount

VirtualMachine.Config.Memory

VirtualMachine.Config.AddRemoveDevice

VirtualMachine.Config.Resource

VirtualMachine.Config.DiskExtend

Resource.AssignVMToPool

VApp.Import

StoragePod.Config

Can this be accomplished with a PowerCLI script?

Would this be better for my needs?

$privs_for_role=@(

'System.Anonymous',

'System.View',

'System.Read')

New-VIRole-Namecustom_role1 -Privilege(Get-VIPrivilege-id$privs_for_role)

You will need to find the privileges you require (use Get-VIPrivilege) , then use the correct name of each privilege and create a new role (as the code you listed above).

Thank you for the reply LucD. I used the Get-VIPrivilege -PrivilegeItem command to output all of the available privileges, and will use that to create the script.

I am also looking at how to add the role. I would like to add it to top level "Datacenters" folder. Let me know how this looks:

$privs_for_role=@(

'System.Anonymous',

'System.View',

'System.Read')

New-VIRole-Name mycustomrole -Privilege(Get-VIPrivilege-id$privs_for_role)

$rootFolder = Get-Folder -NoRecursion

$myPermissions = New-VIPermission -Entity $rootFolder -Principal "domain\user" -Role mycustomrole -Propogate:$true

You can get the root folder like this

Get-Folder -Name Datacenters

The rest of your script looks ok.

Cool, thank you again LucD. I'll give it a shot and let you know how it goes.

Hey LucD, I am having a few issues with the script. When I use "Administrators" as the Principal, the script runs perfectly. The role is created and access is granted to the Administrators group. However, when I add a domain user and/or group as the Principal, the script fails. I see messages like:

New-VIPermission Could not find VIAccount with name "Domain\Group"

New VIPermission Value cannot be found for the mandatory parameter Principal

I am accessing vCenter with a domain account that has full privileges. Is there something else I need in the script? Thank you again.

I modified the script some, but am still unable to get my desired result. I have added:

$principal = Get-VIAccount -Domain "DOMAIN" -User "username"

$myPermissions = New-VIPermission -Entity $rootfolder -Principal $principal -Role mycustomrole -Propagate:$true

This DOES work for one particular username.However, when I run Get-VIAccount using the -Group -Id switches, it does NOT find my desired group. Am I heading in the right direction?

You did configure the ESXi server(s) to use Active Directory as the authentication service ?

Do a Get-VMHostAuthentication.

I do get my domain groups, see this example from my test environment

Thank you again for the reply LucD. I did verify that all our hosts are using AD for authentication. I ran the command you listed, and noticed the group listing stopped in the C's. I piped it out to a text file and this time it stops in the H's.

Now before I go any further, I want to say that we do have a very large AD environment. When I run the Get-VIAccount query, the ending groups (C and H) are both in the same OU. The group that I'm trying to add is a few OU's down, and the query looks like it's going by OU. To test, I renamed my group to AAA_TestGroup, which should be at the top of the A's. Unfortunately the group is not returned in the query.

I also checked the AD settings for vCenter, and verified the query limit is set to 5000. Are there just too many groups in my environment for this to work?

Can you get a result when you specify the name of the group ?

Get-VIAccount -Domain "DOMAIN" -Name TestGroup -Group

When I run this command:

Get-VIAccount -Domain "DOMAIN" -Group

I see multiple groups displayed. One of the groups is called "CDUSERS". So I run the following:

Get-VIAccount -Domain "DOMAIN" -Name CDUSERS -Group

I get an output saying:

Parameter set cannot be resolved using the specified name parameters.

Get-VIAccount <<<< -Domain "DOMAIN" -Name CDUSERS -Group

Since this was found with the initial domain group query, shouldn't this be found with -Name?

My bad, you can't have the Domain parameter and the Name parameter together, they are not in the same parameterset.

Try it like this

Get-VIAccount -Group -Name "DOMAIN\CDUSERS"

That worked! It successfully returned the CDUSERS group.

When I try the same thing with the group I need though (AAA_TestGroup), I don't get anything. Not even an error this time. Is my AD environment not going to allow me to specify a domain group for the Principal?

You can also use meta characters in there.

Does

Get-VIAccount -Group -Name "DOMAIN\AAA_*"

return anything ?

Is there perhaps a difference in the group's 'Pre Windows 2000' name and it's AD name ?

Can you perhaps show the properties of that group ?

The frustrations continue... Running the command with the meta characters still produces no output. I also verified that the Group name, and the Pre-Windows 2000 name's are identical.

As far as the properties of the group go, there is nothing special. It's a Domain Local Security group, with no members, and is not a member of any other group.

So, some groups work, other don't.

Is that correct ?

That's correct. It seems like groups in OU's closer to the root of the domain work. Groups lower (such as the one I need) do not.

And just an update.. I spoke with our App guys, and they are okay in using a local group on the vCenter server as the Principal. They plan on nesting their domain group within this local group to provide access.

At this point it's one of those things where I just want to know why it doesn't work!

Does this (old) workaround for a similar problem work ?

See The bug in New-VIPermission and how to deal with it.

Am I doing this right? I copied the script and saved it as CreateVIAccount.ps1. While connected to my vCenter server, I ran ". .\CreateVIAccount.ps1". It gives me a security warning, which I accept. Then I run:

$account = New-VIAccount "Domain\User"

Which outputs:

You cannot call a method on a null-valued expression.

CreateVIAccount.ps1

:9 char:26

+     $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)

    + CategoryInfo          : InvalidOperation: (Invoke:String) [], RuntimeException

    + FullyQualifiedErrorId : InvokeMethodOnNull

New-Object : Constructor not found. Cannot find an appropriate constructor for

type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl.

At CreateVIAccount.ps1

:11 char:14

+         (New-Object <<<<  VMware.VimAutomation.Client20.PermissionManagement.

VCUserAccountImpl `

    + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException

    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

Did you dot-source the .ps1 file ?

Otherwise the function defined in that .ps1 file is not known.

Do

. ./CreateVIAccount.ps

Yes, there is a blank between the 2 dots.

You can check that function is loaded by doing

Get-Command -Name New-VIAccount

That actually works fine:

PowerCLI C:\ESXi Scripts> Get-Command -Name New-VIAccount

CommandType                    Name                            Definition

-----------                              ----                                  ----------

Function                             New-VIAccount               param($principal)...

I guess I am just out of luck with the one huh? :smileyhappy: