Last active
November 10, 2020 19:43
-
-
Save zbalkan/d472c84c51ac1f8b5815a48e2004f90f to your computer and use it in GitHub Desktop.
This script was created when I needed to add some local accounts on ESXi hosts for compliance. It would take time so I only prepared first host. This script gets users, roles and permissions from the source host and creates them on target host. It's possible to enumerate other hosts and apply them, but I tested for possible trying errors one by …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Hosts | |
$Source = "Source ESXi Server IP address/Hostname" | |
$Target = "Target ESXi Server IP address/Hostname" | |
# Creds | |
$root = "root" | |
$rootPassword = "root password" | |
$admin = "administrator@vsphere.local" # Not used here. It will be needed when enumerating all hosts. | |
$adminPassword = "administrator password" # Not used here. It will be needed when enumerating all hosts. | |
# The accounts below are already in $Source host. I left them for context. | |
$esxAdmin = "esxAdmin" # This local user will have all privileges except Virtual Machine. | |
$vmAdmin = "vmAdmin" # This local user will have only Virtual machine privileges. | |
$accountPassword = "They share the same password :(" | |
# Tasks | |
# Collect information from Source. Source is already done manually, so I only copy the config from it. | |
Connect-VIServer -Server $Source -User $root -Password $rootPassword | |
$roles = Get-VIRole -Server $Source | | |
Where-Object { $_.IsSystem -eq $false} | |
$users = Get-VIAccount -Server $Source | | |
Where-Object { ($_.Name -notlike 'root') -and ($_.Name -notlike 'dcui') -and ($_.Name -notlike 'vpxuser') } | |
$permissions = Get-VIPermission -Server $Source | | |
Where-Object { ($_.Principal -notlike 'root') -and ($_.Principal -notlike 'dcui') -and ($_.Principal -notlike 'vpxuser') } | |
Disconnect-VIServer $Source -Confirm:$false | |
# Add creds to the Target | |
Connect-VIServer -Server $Target -User $root -Password $rootPassword | |
# Add roles | |
foreach($role in $roles){ | |
$SourcePrivileges = Get-VIPrivilege -Role $role | |
$AllTargetPrivileges = Get-VIPrivilege -Server $Target | |
$RolePrivileges = @() | |
foreach($priv in $SourcePrivileges) | |
{ | |
$PrivToAdd = $AllTargetPrivileges | Where-Object { $_.Id -eq $priv.Id } | |
$RolePrivileges += $PrivToAdd | |
} | |
New-VIRole -Name $role.Name -Privilege $RolePrivileges -Server $Target -Confirm:$false | |
} | |
# Add users. There is not a Cmdlet for this, so we utilize EsxCli class. | |
$esxCliTarget = Get-EsxCli -VMHost $Target -V2 | |
foreach($user in $users){ | |
$accountArgs = $esxCliTarget.system.account.add.CreateArgs() | |
$accountArgs.id = $user.Id | |
$accountArgs.description = $user.Description | |
$accountArgs.password = $accountPassword | |
$accountArgs.passwordconfirmation = $accountPassword | |
$esxCliTarget.system.account.add.Invoke($accountArgs) | |
} | |
# Add permissions | |
foreach($permission in $permissions){ | |
$principal = Get-VIAccount -Server $Target -name $permission.Principal | |
$role = Get-VIRole -Name $permission.Role -Server $Target | |
New-VIPermission -Server $Target -Principal $principal -Role $Role -Entity $Target | |
} | |
Disconnect-VIServer $Target -Confirm:$false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This script needs functions and exception handling.