This time, I just wanted to troubleshoot an issue with a script supposed to set permissions on vCenter.
The initial idea was to set permissions at the vCenter level and propagate them to the child objects.
Note that in order to use this script you will need to know the netbios name of your domain. Because someone asked it to me: No, you cannot guess the netbios name of a Active Directory domain just by looking its full name. A system administrator should help you.
I wrote this :
clear
#region Functions
function AssignPermissionToGroup()
{
param(
[parameter(mandatory=$true)]$ADDomain,
[parameter(mandatory=$true)]$ADGroup,
[parameter(mandatory=$true)]$Role
)
try
{
$rootFolder=get-folder -norecursion
write-host “Adding $ADgroup to vCenter role $Role at the $rootFolder level”
new-viPermission -entity $rootFolder -principal $ADGroup -role $Role -propagate:$true
}
catch
{
write-host (“Failed to add $ADgroup to vCenter role $Role. Error: `n” + $_.excception.message) -ForegroundColor red
}
}
function Display()
{
param(
[parameter(mandatory=$true)][validateSet(“info”,”error”,”quit”,”debug”)]$type,
[parameter(mandatory=$false)]$message
)
switch($type)
{
“info” {write-host $message -ForegroundColor Darkcyan}
“error” {write-host $message -ForegroundColor red}
“debug” {write-host “=> DEBUG : $message” -ForegroundColor yellow}
“quit” {write-host $message -ForegroundColor DarkYellow}
}
}
#endregion
#region MAIN
#UNCOMMENT THE FOLLOWING SECTION IF YOU ARE NOT ALREADY CONNECTED TO YOUR VCENTER INSTANCE !
<#
$vcenter = read-host “Please enter the FQDN of the vCenter you want to connect to”
write-host “vc” $vcenter -ForegroundColor cyan
Connect-VIServer $vcenter
#>
$viaccount=$null
$UserDomain = read-host “Provider the Netbios name of the domain (ex : axel for axel.lab)”
$Addgroup = $true
while($Addgroup)
{
$GroupToAdd = read-host “Give the short name of the group to add (ex: vCenterAdmins)”
Display -type info -message “Looking for $GroupToAdd…”
$viaccount = get-viaccount -domain $UserDomain -group -id $GroupToAdd -ErrorAction SilentlyContinue
if($viaccount)
{
write-host “Found !”
}
else
{
Display -type error -message (“Group $GroupToAdd not found !”)
break
}
$vcRole=(get-virole).name
Display info “vCenter Roles:”
$vcRole
$GroupRole = read-host “`n Please copy/paste the role to link to group $GroupToAdd”
AssignPermissionToGroup -ADDomain $UserDomain -ADGroup $viaccount -Role $GroupRole
$UserAnswer = read-host “Do you want to add another group (y/n) ?”
if($UserAnswer.ToLower() -ne “y”)
{
$viaccount=$null
$Addgroup = $false
Display -type quit
}
}
#endregion
Example of output :