Loading Posts...

Add An AD User Group As Root To A List Of ESXi Hosts Using PowerCLI

This was fallen down as a requirement of a different application in our environment and main requirement was to add an AD user group as local root user group to a list of ESXi hosts which were connected to a vCenter Server.

It was a security related requirement and granting root permission was a must requirement. So, I had to build couple of scripts to quickly achieve this task. There can be many ways to do this task but this is how I achieve this. I hope this will help anyone who has similar requirement. Basically, it had two separate steps. Firstly, adding the list of ESXi hosts to a domain and secondly, adding the AD user group as a local root of the ESXi Hosts. 

How To Add A List Of ESXi Hosts To A Domain At Once

Adding ESXi host to a domain might not be a complex task. But it can be a piece of work if you have list of ESXi hosts connected to the vCenter Server. In vSphere 6.5 adding the AD User group name as the value to the “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” would grant the root permissions in the ESXi. 

First, I created the Computer objects in the correct OU in the Active Directory manually, and connect to the vCenter server from PowerCLI. To Connect to the vCenter use: 

Connect-VIServer -Server <IP_ADDRESS_OR_FQDN> -User <USERNAME> -Password <PASSWORD>

Ran the below piece of code:

$uname = $(Read-Host "Input Username Please:")
$pwd =$(Read-Host "Input the password:" -AsSecureString)

Get-VMHostAuthentication | Set-VMHostAuthentication -Domain 'example.domainname.local/OU1/OU2/OU3/' -JoinDomain -Username $uname -Password $pwd -Confirm:$false

Similar output appeared as follows, it will display any trusted domains if available and the status.Secondly, I created a PowerCLI script to change the Advanced parameters in ESXi hosts reading from a simple file named “Host_list.txt” file, please note that this script can be used to change any advanced parameter in list of ESXi hosts

$hostList = Get-Content ".\Host_list.txt"
echo ""
echo ""
foreach($line in $hostList)
   echo ""
   echo  $line
   echo "============"
   echo ""
   Get-AdvancedSetting -Entity (Get-VMhost -Name $line) -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' | Set-AdvancedSetting -Value 'YOUR_AD_USER_GROUP' -confirm:$false
echo ""

Output was similar to this:

Note: “Host_list.txt” file cannot contain the space after the hostname, most of the it was not easy to notice and it would throw the error message, code optimization skills can be used to avoid this but I did not spend time on that type of optimization on the code.
Started the ssh service and connected using the AD Account which is a member of that added group used “DOMAIN\USERNAME” format as the username All together, I had three files and I have added them to this post, those can be downloaded at your convenience.  
Downloadable Attachments:

Article Short Link: https://tcrum.net/ESXistoADUsingPowerCLI

If you found this post as useful please rate the post and share it!

Click to rate this post!
[Total: 7 Average: 5]

Aruna Fernando

"Sharing knowledge doesn't put your job at risk - iron sharpen iron" I heard this and it's true.

Get Updates Directly To Your Inbox!


Show 2 comments

Leave a Comment

Loading Posts...