Adding users + roles with powershell

November 6th, 2008 | 2 Comments |

So you can easily add users with useradd command we talked about. But there’s still a problem, you can’t add user-roles to the user you’re creating. You still need the VirtualCenter client to do that. My colleague Horst Mundt read my post and was so kind to email me a powershell script he created that can add roles to specific users or groups for you:

$VCimpl = Get-VIServer -Server 192.168.116.201 -User root -Password <...>
# Note: Server is an ESX host, not VC
# Force load
[Reflection.Assembly]::LoadWithPartialName("vmware.vim")

# Edit hostname below
$hostname = "esx302.hm.local" 

# The name of the role to be assigned
$roleLabel="Read-Only"
#$roleLabel="Administrator"

#The name of the principal (user or group) that the role is assigned to
$principal="GroupX"

# set to false if principal is a user , not a group
$principalIsGroup = $true

$propagateToSubEntities = $true

$svcRef = new-object VMware.Vim.ManagedObjectReference
$svcRef.Type = "ServiceInstance"
$svcRef.Value = "ServiceInstance"
$serviceInstance = get-view $svcRef

$authMgr = Get-View $serviceInstance.Content.AuthorizationManager
$hahost = Get-View (Get-VMhost -Name $hostname).ID
$compResource = $hahost.Parent
$oldperms = $authMgr.retrieveEntityPermissions($hahost.MoRef, $true)
$roles = $authMgr.roleList
$roleid = 0
$found = $false
for ($i = 0 ; $i -lt $roles.Length ; $i++)
{
      $role=$roles[$i]
      if ($role.Info.Label -eq $roleLabel)
      {
            $roleid = $role.RoleId
            $found = $true
      }
}
if ( $found -eq $false )
{
      echo ("Role not found: " + $roleLabel )
      exit 1
}

$permission = New-Object Vmware.Vim.Permission
$permission.group = $principalIsGroup
$permission.principal = $principal
$permission.propagate = $propagateToSubEntities
$permission.roleID = $roleid
$authmgr.SetEntityPermissions($compResource, @($permission))

The script has been tested on ESX 3.0.2. I did not have the opportunity to test it myself by the way… So if anyone can test it against ESX 3.5 and let’s us know what the results are!




Posted in Server | Tags: ESX, esxi, powershell, Scripting, security
«
»
You can leave a response, or trackback from your own site.

2 Responses to “Adding users + roles with powershell”

  1. LucD says:
    Friday, November 7, 2008 at 23:29

    A bit more than a month ago there was a thread on this subject in the VMware VI Toolkit community. See http://communities-origin.vmware.com/message/1052259#1052259.

    In the thread several aspects of the “roles” and “permissions” are discussed.
    The scripts I posted there were all tested on VC 2.5/ESX 3.5.

  2. Instruction and Consulting Services says:
    Friday, February 12, 2010 at 19:31

    More Q…

    In an effort to keep up the momentum of posting questions posed in class and answers provided, here is a listing from this week’s Fast Track: Q:  In setting up Microsoft NLB (Network Load Balancing), do Distributed Switches function any differently t…

Leave a Reply

Subscribe to RSS Feed Follow me on Twitter!