PowerShell
PowerCLI: New cmdlets for Update Manager
Mar 3rd
VMware have this morning / last night released some PowerCLI cmdlets for VMware Update Manager (VUM). A short description can be found of them below:
| Cmdlet Name | Cmdlet Description |
| Attach-Baseline | Attaches baselines to the specified Template, VirtualMachine, VMHost, Cluster, Datacenter, Folder, and VApp objects.
Attaching a baseline to a container object such as a folder or datacenter transitively attaches the baseline to all objects in the container. |
| Detach-Baseline | Detaches baselines from the specified inventory objects. |
| Download-Patch | Downloads new patches into the Update Manager patch repository from the enabled patch download sources. |
| Get-Baseline | Retrieves the baselines specified by the provided cmdlet
parameters. |
| Get-Compliance | Retrieve baseline compliance data for the specified object of type Template, VirtualMachine, VMHost, Cluster, Datacenter, Folder, and VApp. |
| Get-Patch | Retrieves all available patches or those specified by the provided cmdlet parameters. |
| Get-PatchBaseline | Retrieves all patch baselines or those specified by the provided cmdlet parameters. |
| New-PatchBaseline | Creates a new patch baseline. Patch baselines can be applied to either hosts or virtual machines. Depending on the patch criteria you select, patch baselines can be either dynamic or static (fixed). |
| Remediate-Inventory | Remediates an inventory object against the specified baselines. |
| Remove-Baseline | Deletes the specified baselines from their servers. Before the
removal, the baselines are detached from all entities they have been attached to. |
| Scan-Inventory | Scans inventory objects for baselines attached to them. |
| Set-PatchBaseline | Modifies the properties of a patch baseline. You can specify explicitly the patches you want to include in the baseline through the IncludePatch parameter. |
| Stage-Patch | Initializes staging of patches. Staging allows you to download
patches from the Update Manager server to the ESX/ESXi hosts, without applying the patches immediately. |
The cmdlets can be downloaded from VMware’s website as a PowerShell Snapin and require PowerCLI 4.0 U1.
I look forward to seeing a few scripts pop out in the next few days that make use of these.
Basics: Open PowerCLI using different credentials
Feb 19th
Everytime I use a different PC or laptop I always forget to do this after installing PowerCLI. I happily open PowerCLI up and try to connect to a vCenter server and get prompted for my login information. This is how I feel:
Every time in that session that “Connect-VIServer” is used I’ll get it because my normal domain account doesn’t have any privileges in vCenter. The point of this post isn’t to teach anyone to suck eggs but maybe it’ll help me remember in future to make one tiny change after installing PowerCLI.
Right click on the PowerCLI shortcut and open the shortcut’s properties.
Click the “Advanced” button.
Tick the box “Run with different credentials”. OK everything.
The next time the the shortcut is used the option to specify different credentials is shown:
Entering a different account here saves having to do it each time “Connect-VIServer” is used. There are other things that can be done of course. Maybe I’ll save those for another day.
PowerCLI: Documenting vCenter Permissions (Part 1)
Feb 12th
It’s a nice feeling being asked to do something challenging and new. There I was writing lots of lovely documentation and I was asked if I could document the permissions in vCenter. I said “Ok” without really thinking about it. Do you know how many different privileges there are in vCenter? Quite a few, I realised a few seconds later.
After consulting the PowerCLI cmdlets reference I found out exactly how many there were.
(get-VIPrivilege).count
Only 249. Multiply that by 14 default roles and you get 3486 permissions to document. It’s not quite that bad really. You only need to document permissions that have been assigned so that cuts the number down considerably. Still, there must be an easier way.
I’ve all but hit you over the head with the solution. Let’s take the default “Admin” role as an example. The following shows exactly which permissions it has:
get-VIPrivilege -role Admin
The output isn’t pretty but it gets the job done. Suppose you want the privileges for all roles. To borrow Apple’s catch-phrase, there’s a cmdlet for that.
get-VIRole
This is all well and good but we need to combine these cmdlets, their output and present it in some sort of meaningful way. PowerShell has a number of builtin cmdlets for formatting and / or exporting data. What I wanted was something that didn’t require me to do any extra formatting afterwards and that I can use again. Given the nature of the data we’re trying to extract, one of the best ways of presenting it is in an Excel spreadsheet. For this we could use the export-csv cmdlet but to avoid any extra formatting I decided to experiment with Excel interaction. That is the part that took most of the time and has made the script below such an ungainly beast. Thanks though to the magic of Google and inspiration from one of Alan Renouf’s scripts, I cobbled together the following:
####################################################################
# List-Privileges.ps1 #
# #
# Author: Michael Poore (www.wekabyte.co.uk) #
# Version: 0.1 #
# Date: 12/02/2010 #
# #
# Change History: #
# - 0.1 - First working version #
# #
####################################################################
$vcserver = "myvcserver"
$startrow = 3
$date = get-date -format F
# Connect to VC Server
Connect-VIServer $vcserver
# Get a list of all privileges from the VC Server
$privs = @()
foreach ($priv in Get-VIPrivilege | sort Id)
{
$objecta = "" | select-Object ID,Description
$objecta.ID = $priv.Id
$objecta.Description = $priv.Description
$privs += $objecta
}
# Get a list of all roles from the VC Server and determine which privileges they hold
$roles = @()
foreach ($role in Get-VIRole)
{
$objectb = "" | select-Object Name,System,Description,Privileges
$objectb.Name = $role.Name
$objectb.System = $role.IsSystem
$objectb.Description = $role.Description
$myprivs = @()
$roleprivs = $role.PrivilegeList | Sort
$roleprivs
foreach ($priv in $privs)
{
$myprivs += $roleprivs -contains $priv.ID
}
$objectb.Privileges = $myprivs
$roles += $objectb
}
# Create new Excel object
$Excel = New-Object -Com Excel.Application
$Excel.visible = $True
$Excel = $Excel.Workbooks.Add(1)
$Sheet = $Excel.WorkSheets.Item(1)
# Write Worksheet title
$Sheet.Cells.Item(1,1) = "Roles and Privileges Report for $vcserver - $date"
$Sheet.Cells.Item(1,1).font.bold = $true
$Sheet.Cells.Item(1,1).font.underline = $true
$Sheet.Cells.Item(1,1).font.size = 18
# Write worksheet column headers
$row = $startrow
$Sheet.Cells.Item($row,3) = "ROLE:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "DESCRIPTION:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "SYSTEM:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$Sheet.Rows.Item($row).Borders.Item(9).LineStyle = 1
$Sheet.Rows.Item($row).Borders.Item(9).Weight = 4
$row++
$sheet.columns.item(1).columnwidth = 5
$sheet.columns.item(2).columnwidth = 5
$sheet.columns.item(3).columnwidth = 30
$sheet.columns.item(4).columnwidth = 2
foreach ($priv in $privs)
{
$level = [regex]::matches($priv.ID,"\.").count
switch ($level)
{
0 {$col = 1}
1 {$col = 2}
default {$col = 3}
}
$Sheet.Cells.Item($row,$col) = $priv.Description
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
#$Sheet.Cells.Item($row,3).WrapText = $true
$Sheet.Cells.Item($row,4) = " "
$row++
}
$col = 5
foreach ($role in $roles)
{
$row = $startrow
$Sheet.Cells.Item($row,$col).Orientation = 90
$Sheet.Cells.Item($row++,$col) = $role.Name
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
$Sheet.Cells.Item($row++,$col) = $role.System
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 5
$Sheet.Cells.Item($row++,$col) = $role.Description
foreach ($priv in $role.Privileges)
{
if ($priv)
{
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
$Sheet.Cells.Item($row,$col) = "Yes"
}
$row++
}
$sheet.columns.item($col).columnwidth = 6
$col++
}
Clear
It’s a little slow to run but fairly easy to read the output. These are the default roles in vCenter 4.0.
So that’s part 1. The next step is already underway – tidying the script and adding to it to try and give some indication of which AD users and groups map to which roles.
PowerShell 2.0 Installation Error
Feb 11th
I was trying to install PowerShell 2.0 and kept getting an error part way through that simply told me that access was denied while installing the Windows Management Framework Core. The installation was then rolled back. I tried a few times, with local and domain administrator accounts but to no avail. The following event was logged each time in the system event log:
After some poking around I found that the local Administrators group did not not have Full Control of the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost to which it was trying to write.
Just thought I’d share this in case anyone else encountered it.
PowerCLI: Adding New PortGroups
Jan 6th
I’m sure that someone somewhere has written a script exactly like this in the past but I wanted to write my own for a number of reasons. While I’ll probably never be a PowerCLI hero, it really doesn’t hurt to keep in practice and hone your skills.
Let’s start with what I want to accomplish. I’m working with an ESX 3.5 web hosting environment and there’s a new project in the pipelines. A brace of new servers are required and they’ll be on a new VLAN. The VLAN has been created and configured on the various switches that the ESX hosts connect to but now of course a corresponding PortGroup is required. (Actually two are needed – complex project.) Now we’re not talking about a huge number of hosts here. It would probably only take 10 minutes to do it by hand using the VI client. It’ll take me longer to write this post! However, it is something that happens relatively often in this environment so it’s worth taking the time to write a script. More >
