Vswitch group permissions management standard port with PowerCLI

Hi all

I have many groups of ports on standard as well as switches distributed on ESX 5.0.

I would like to know if there is a way to manipulate the permissions of those groups of port with PowerCLI.

Is it possible, or you can help automate this work?

Thank you!

The easiest are discussions on dvSwitches.

For example

$user = Get-VIAccount -Name "domain\lucd"$role = Get-VIRole -Name NetworkAdmin$dvPg = Get-VDPortgroup -Name "dvPortgroup"New-VIPermission -Principal $user -Role $role -Entity $dvPg

The regular exchanges require the use of the API.

For example

$pgName = "VM Network"$pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1$net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}    $authMgr = Get-View AuthorizationManager$perm = New-Object VMware.Vim.Permission$perm.Principal = "domain\lucd"$perm.RoleId = $role.Id$perm.Propagate = $true$perm.Group = $false$authMgr.SetEntityPermissions($net.moref,$perm)

Because the Get-VirtualPortgroup cmdlet does not have direct access to the corresponding object on the network , you have to find via the ESXi network property.

Tags: VMware

Similar Questions

  • Setting Port with PowerCLI group permissions

    Hello

    I write a script that creates a pool of resources, add a security group to her permissions and creates then 2 groups of ports on each host in the data center, defines their VLANiD and then add a security group and port group permissions. I managed to go as far as to create the Port groups I can't get to add the security group for port group permissions. I managed to make it work with the resource pool.

    I was wondering if anyone knew how to add a security group AD for port using PowerClI group permissions?

    Thank you

    The New-VIPermission cmdlet does not support newer entities, such as the network.

    This means that you will have to fall back on SetEntityPermissionsSDK method.

    $esxName = 
    $pgName = 
    $user =                   # Ex "TEST\luc"
    $role =                         # Ex "Admin"
    $group = $false
    $propagate = $false
    
    $authMgr = Get-View (Get-View ServiceInstance).Content.authorizationManager
    $perm = New-Object VMware.Vim.Permission
    $perm.Principal = $user
    $perm.roleId = ($authMgr.RoleList | where{$_.Name -eq $role}).RoleId
    $perm.group = $group
    $perm.propagate = $propagate
    
    $esx = Get-VMHost -Name $esxName
    $esx.ExtensionData.Network | %{
         $net = Get-View $_
         if($net.Name -eq $pgName){
              $authMgr.SetEntityPermissions($_,$perm)
         }
    }
    

    ____________

    Blog: LucD notes

    Twitter: lucd22

  • How to manage the Tags with PowerCli

    Hello

    I'm trying to find examples how to manage Customs 'Tags' in vSphere 5.1. This new feature is only used in the web client.

    I would like to create, delete, and associate tags with PowerCli objects.

    Is someone can tell me the basic commands?

    Thank you.

    Karl


    Currently, there are no PowerCLI cmdlets to manage the tags.

    But take a look at Create/Set TAGs via PowerCLI

  • Group creation ESXi 4 port with respect to the host only vSwitch

    Hi all

    ESX experts out there confirm what the 'group of ports' process is for the creation and how it relates exactly to host only vSwitch?

    I have created a vSwitch1 as host only with no attached NIC (as by the other topic, I found) I want to clone and initialize some test of hot P2V but they don't have any real network connections.

    I use vSphere to do this, and I'm new to ESX...

    You will still need to create a virtual machine on the new vSwitch port group, but if the vSwitch has no physical NIC are attributed to him, then the traffic on this vSwitch will be isolated.

    Dave

    VMware communities user moderator

    Now available - vSphere Quick Start Guide

    You have a system or a PCI with VMDirectPath?  Submit your specifications to Officieux VMDirectPath HCL.

  • Override the port NIC teaming with powercli group?

    Hi all

    Any chance you could lend a hand?

    I have a powercli script that goes out to all of my ESX 4.0 host and add a new port group to vswitch1 with a new VLAN ID. That works well, but I also need to override the NIC teaming on this port group, to set an active NIC and the other to be the backup. (we put NIC failover port groups not the vswitches).

    I see ways to change NIC vswitches grouping settings, but am yet to find a way to change the settings of the NIC collection for groups of ports themselves with powercli?

    Can someone shine a light?

    Thank you

    Try something like:

    Get-VirtualPortGroup-name '' | Get-NicTeamingPolicy | Game-NicTeamingPolicy - MakeNicActive "vmnic1" - MakeNicStandby "vmnic0".

    I hope this helps!

  • Two groups of ports with same VLAN on the same Vswitch?

    I'm doing a consolidation.  We had two different people put up two closed different of Vsphere and different network labels were used.   Of course the network labels must exactly match vmotion without losing connectivity.    So I was hoping that I could just create groups in double port on my vswitch for VLAN do not match them.  I know I could just migrate them and move quickly from the network label, but some of them are essential and may not fall.

    For example, on a cluster, I might have a port for Vlan ID 88 group that says 'Web DMZ'.  But the other cluster has "WWW" VLan ID 88.    Can I just create a second group of ports on the first group which also used Vlan ID 88 with the name 'WWW' and I started?    Which will cause problems with switching (loops, etc.)?

    Hope it makes sense.  Guess the short answer is can I I have two groups of different ports on a vswitch using the same VLAN ID tag without causing problems?

    Creation of several groups of ports with the same VLAN ID should not cause any problem. This is only marking/close the traffic to and from the virtual machine, is nothing like that of loops,... to be afraid of.

    André

  • I would like to add additional management port with different user service

    Hello

    Version of the grid control is 10.2.0.1.0.

    My company has now more than 100 target or with teams of Directors access to the WHO,

    The original grid for us infrastructure is 1 WHO + 1 OMR. WHO answers very slowly recently.

    Now we decide to add additional management service in another machine.

    The user to operate the original SGD is different from WHO come, it will be a problem when you configure the new OMS?

    The other issue is, we want to use different ports (11200) for the new OMS, it is practical, if OK, how?

    Thank you very much.

    The user to operate the original SGD is different from WHO come, it will be a problem when you configure the new OMS?

    OK, you can choose any username, any username to install additional management service in another machine.

    It has nothing to do with the configuration of the original WHO. They remain in the 2 totally different machine. SST and their, OC4J OracleAS Web Cache

    operate independently.

    The other issue is, we want to use different ports (11200) for the new OMS, it is practical, if OK, how?

    Thank you very much.

    It comes fully documented standard:

    Oracle.sysman.top.OMS:s_staticPorts=/home/Oracle/MyPort.txt $ / Disk1/runInstaller

    The content of /home/oracle/myport.txt may as follows:

    Oracle = 11199 Server HTTP port

    Oracle HTTP = 11200 server listening port

    Oracle HTTP = 4443 Server SSL port

    Listening port of the server (SSL) Oracle HTTP = 4445

    Oracle HTTP Server Jserv 8007 = port

    Server diagnosis Oracle HTTP = 7200 port

    Oracle = 1830 Management Agent port

    Application Server Control RMI = 1850 port

    Notification Server Oracle application port = 6003

    The Notification Server Local port Oracle = 6100

    Notification Server Oracle 6200 = Remote port

    Connect the port Loader = 44000

    Cache of objects Java port = 7010

    Port of DCM Java object Cache = 7101

    Port control application server = 1810

    Web Cache HTTP port listening = 11199

    To listen Cache HTTP Web site (SSL) port = 4443

    Cache Administration Web site port = 4000

    Website of the Cache Invalidation port = 4001

    Cache statistics port Web site = 4002

    Oracle Net Listener = 1521

    Management Service Upload (non - SSL) = 11199 Oracle port

    Management Oracle Upload (SSL) Port = 11198

  • Impossible to use the DVI - D port with cable DVI - D Pav 500-100 a to HP W2207 monitor

    I have a new standard of factory Pav 500-100a without mods.  HP w2207 monitor.

    Currently properly connect with VGA DVI - D port with the adapter supplied with the pc.  I have install Windows Update 8.1, put in my files from my old PC and everything was fine except the video is not very good.

    I got a formwork of cable DVD, but it's a DVI-I have the cable.  It took 5 minutes before windows comes up and then whenever the background picture changed in the theme which he suspended for a few seconds.  I read that I have a DVD-D need cable which i purchasd today.

    The package says it's a CL-DVI2M - DVI M/M 24 + 1 CABLE 2 M.  The tech in the store said that it is a good calbe and works perfectly.

    When connected and power until I get the hp and rolling points logo, then it turns off.

    I reconnect the cable VGA and all its beautiful - using the VGA to DVI.

    I ran msconfig and turned from secure boot - restarts and comes well in safe mode.  I set the resolution of 1280 x 800 and rebooted and reconnected the cable DVI - Virgin again.

    If I put the cable VGA back inside fine boots.  The monitor was given factory and seens the DVI connection but Windows remains empty. Also tried to start first with no cable - connect the DVI and the monitor remains in sleep - be able to reset the monitor and still a Virgin is also no connection DVO.

    I have fI switch with connected DVI I can get to the BIOS, and I see the HP logo and the points Win 8 starts.

    I don't know what else I can try.  I have no other usable with DVI video card

    Any ideas out there?

    Pls help - Steve

    Although I am an employee of HP, I speak for myself and not for HP.

    Yes, I rasthaus the monitor and cable of my older Compaq running xp and all fine on DVI.  The monitor and cable are fine.

    Since then, I've had a product in Australia specialist help.  Tried all the previous things, then initially went to check if the person had been doing the right thing - connected the VGA monitor with the supplied adapter DVI-d port - which has always worked well.

    Went to Device Manager o and removed the video card adapter. Powered off and then attached the monitor directly with DVI and it started late! Drviers reinstalled and updated and now I have nice crisp clear video appears.

    Something of the support person should apparently have - insead has asked me to wipe the hard drive and restore the factory system, replace the cables, buy a new monitor... was even asked to leave VGA mode and do not use DVI!

    Thank you for your help, Dave, its good to know that you are around to help us.

  • Information collection of operating system prompted with PowerCLI

    Can I get information about local groups inside with PowerCLI Windows operating system?

    No, this cmdlet and scripts invoked through it, do not depend on any configuration 'remote access' in the guest OS.

    In fact, the Invoke-VMScrpt cmdlet uses the VMware tools, which are a requirement, launch the script inside the guest OS.

    For the guest OS, it will look like a startup script locally.

    Make sure that the account under which the script is run, has the necessary permissions.

  • Files downloaded suddenly began to have the wrong group permissions

    I'm on a 10.7.5, using FireFox 24 Imac.
    Suddenly, all the files I download through FF could be consulted from anywhere else in the network, except my Imac. I finally checked the permissions of files downloaded to find that FF began to restrict group access (anyone = no access). Never had this problem before. Somehow FF started obeying does not target folder permission settings.
    I tried a lot of bugs, I even deleted FF with all its relevant files... done a clean install, but the problem won't go away. Important to note that Safari and chrome still download all files with correct group permissions.

    Happy to report this very annoying problem is now gone.
    I've just updated to FF 25 and now the permissions on uploaded files are back to normal, with authorized access group.

  • I'm waiting times tries to access a parallel port with VISA

    I get VISA time-out errors when you try to write to the parallel port. MAX said that the port works and I should be able to communicate with him. Device Manager Windows 2000 also said that the device works. I use writing to the parallel port with VISA example I found on the site of nor. To make it even more confusing (or), it runs on one computer but not another. All software and drivers are the same on both machines. On one who gives me the error of time-out, I am able to write to the parallel port using "accesshw".

    What a coincidence. The computer that I had problems with is also a Dell Optiplex. The pins of wiring together the way that you have specified has solved my problem of timeout. The cable I got with just bad has terminals 11 and 12 low attached as indicated on the page with a link to the code sample titled "with the help of VISA to access the Parallel Port in LabVIEW" I know why the original cable worked with a bridge but not a Dell Optiplex. Thanks for the quick fix!

  • count the number of targets, devices and paths by hba for each host with powercli 5.5

    Hi all

    I'm writing this Question again in the community, was not able to found the answer I was looking for in the nets:

    https://communities.VMware.com/thread/516226?start=0 & tstart = 0

    https://communities.VMware.com/thread/293531

    I went through the scripts provided in the community, but seems that t not work on powercli 5.5.

    ///

    # The target account, devices and paths for each host

    Get-Cluster $cluster | Get-VMHost | Sort-Object-property name. {ForEach-Object

    $VMHost = $_

    $VMHost | Get-VMHostHba-type FibreChannel | Sort-Object-property device | {ForEach-Object

    $VMHostHba = $_

    $ScsiLun = $VMHostHba | Get-ScsiLun

    If {($ScsiLun)

    $ScsiLunPath = $ScsiLun | Get-ScsiLunPath | `

    Where-Object {$_.} Name - like "$($VMHostHba.Device) *"} ".

    $Targets = ($ScsiLunPath |) »

    Group-object - property SanID | Measure - Object). County

    $Devices = ($ScsiLun |) Measure - Object). County

    $Paths = ($ScsiLunPath |) Measure - Object). County

    }

    Else {}

    $Targets = 0

    $Devices = 0

    $Paths = 0

    }

    $Report = "" | Select-Object - property VMHost, HBA, target devices, paths

    $Report.VMHost = $VMHost.Name

    $Report.HBA = $VMHostHba.Device

    $Report.Targets = $Targets

    $Report.Devices = $Devices

    $Report.Paths = $Paths

    $Report

    }

    }

    ///

    I went through the script LucD posted below: but it's not exactly what I'm looking for.

    LucD : can you please change the same for me please.   to count the number of paths per hba for each host with powercli 5.5, devices and targets.

    //

    $esx = get-VMHost < host name >

    foreach ($hba to (VMHostHba Get - VMHost $esx - type "FibreChannel")) {}

    $target = ((get - see $hba. VMhost). Config.StorageDevice.ScsiTopology.Adapter | where {$_.} Adapter - eq $hba. Key}). Goal

    $luns = get-ScsiLun - Hba $hba - LunType 'disk '.

    $nrPaths = ($target | % {$_.}) Lun.Count} | Measure - Object - sum). Sum

    Write-Host $hba. Device ' target: ' $target. County "devices:" $luns. County ' path: ' $nrPaths

    }

    //

    I'll be grateful for any help.

    Tarun Gupta

    Try something like this

    {foreach ($esx in Get-VMHost)

    foreach ($hba to (VMHostHba Get - VMHost $esx - type "FibreChannel")) {}

    $target = ((get - see $hba. VMhost). Config.StorageDevice.ScsiTopology.Adapter | where {$_.} Adapter - eq $hba. Key}). Goal

    $luns = get-ScsiLun - Hba $hba - LunType "disk" - ErrorAction SilentlyContinue

    $nrPaths = ($target | % {$_.}) Lun.Count} | Measure - Object - sum). Sum

    $props [ordered] = @ {}

    VMHost = $esx.name

    HBA = $hba. Name

    Target = $target. County

    Device = $luns. County

    Path = $nrPaths

    }

    New-object PSObject-property $props

    }

    }

  • Complete the VI Client with PowerCLI Script idle Sessions

    Hello gurus PowerCLI

    I searched the net for a script PowerCLI that would end all the VI client sessions that have been inactive for x period of time.  I found a post on the forums of VMware (http://communities.vmware.com/message/914858?z=zI0r8n) but had no luck with it.  I also found a script created by A.Mikkelsen, to http://www.amikkelsen.com/?p=384 , but that one does not work either.

    Here's the actual script by A.Mikkelsen that is based on code by LucD in the forum mentioned previously.

    BEGINNING

    ##################################################################################
    # The script terminates all sessions if idle idle user for more than xx #.
    #                             #
    # Created by: Anders Mikkelsen, 2010 #.
    ##################################################################################
    Claire
    # Add - PSSnapin VMware.VimAutomation.Core

    # $server = "vcenter server.
    # $user = "vcenter username.
    # $pwd = "password of vcenter.

    # Add 1 extra hour when, due to the difference of timestamp between MSSQL and Windows.
    # slow down time 5 hours = 360
    # 10 hours slowed = 660
    $intOlderThan = 60

    # Connect-VIServer $server - user $user-password $pwd
    # Connect-VIServer $server

    $svcRef = new-object VMware.Vim.ManagedObjectReference
    $svcRef.Type = 'ServiceInstance.
    $svcRef.Value = 'ServiceInstance.
    $serviceInstance = get-views $svcRef

    $sessMgr = get-view $serviceInstance.Content.sessionManager
    $oldSessions = @)
    {foreach ($sess in $sessMgr.SessionList)}
    If (($sess.)) (LastActiveTime) .addminutes ($intOlderThan) - lt (Get-Date)) {}
    $oldSessions += $sess. Key
    #write "$($sess.)". User name)'
    }
    }

    # Session terminal that are inactive for more than approved ($intOlderThan)
    $sessMgr.TerminateSession ($oldSessions)

    Disconnect-VIServer *-confirm: $false

    END

    The error message I get is:

    BEGINNING

    Exception calling 'TerminateSession' with '1' or the arguments: "it was not correct to specified parameters.

    "

    D:\Scripts\vc_terminate_idle_sessions.ps1:36 char: 26

    + $sessMgr.TerminateSession < < < < ($oldSessions)

    + CategoryInfo: NotSpecified: (:)) [], MethodInvocationException)

    + FullyQualifiedErrorId: DotNetMethodException

    END

    I should mention that my knowledge of PowerCLI is almost nothing, so any help in tweaking this script to make it work with PowerCLI 5.1 Release 2 and VC 5 U2 would be much appreciated.

    The error is caused by the fact that you are trying to kill your own session (if it was started long time ago).

    Apparently in vSphere 5. they included a security mechanism integrated to avoid this.

    You can take this by adding a simple test.

    ## max number of idle minutes for sessions to keep$intOlderThan = 60$serviceInstance = Get-View 'ServiceInstance'## get the session manager object$sessMgr = Get-View $serviceInstance.Content.sessionManager## array to hold info about stale sessions$oldSessions = @()foreach ($sess in $sessMgr.SessionList){    if (($sess.LastActiveTime).addminutes($intOlderThan) -lt (Get-Date) -and          $sess.Key -ne $sessMgr.CurrentSession.Key){        $oldSessions += $sess.Key    } ## end if} ## end foreach
    
    ## if there are any old sessions, terminate them; else, just write message to the Warning streamif (($oldSessions | Measure-Object).Count -gt 0) {    ## Terminate sessions than are idle for longer than approved ($intOlderThan)    $sessMgr.TerminateSession($oldSessions)} ## end ifelse {Write-Warning "No sessions that have been idle for more than '$intOlderThan' minutes; no action taken"}
    
  • vMA vCenter 4.1 and non-standard port

    I just implemented the vMA 4.1, everything works obtained auth fine AD, even work.  However, when I try to run a command as a user of the AD, I get this:

    [vi-admin@vma01 ~] [vcenter01] $ esxcfg-mpath - l - vihost esxhost4.globalivewireless.local
    Enter the user name: domain\domainadminacct
    Enter the password:
    Error to connect to the server " " https://vcenter01/sdk/webService': Connection refused

    Don't see much in the newspapers.

    However, if I try to connect to this URL, it will fail - it's because we connect to vCenter using 30443.  The vifp addtarget with - port_number specified work (does not work without the specified port), but it seems standard commands always try to use 443.

    Is it possible to change the nature of the non-use of to our non standard port 443?

    This is more than a concept vCLI, vMA. Think of vMA as just a camera vCLI, instead of having to install the vCLI yourself, vMA is delivered pre-packaged is a Linux device.

    Have a look here for info - http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vcli.examples.doc_50/cli_overviews.3.8.html

    Basically, for each global option such as username, password, server, etc. that you can specify in a file, then instead of typing on each option, you can simply use the – config [fichier_config] that includes your options.

  • How to add the AD security group in each virtual machine with a name corresponding in VCenter?

    Hi all

    I would like to know if it is possible with VMware PowerCLI v4.1, I created the universal security group called 'Local administrators on %ComputerName%' for each server I have in UO computers by location OR separate and that he manually add members of the Local, but I want to attribute this security group in each computer virtual with the same name if possible.

    Basically, it's something like this:

    In the ad, here are computer objects:
    DOMAIN.com/Computers/ mailserver1-VM
    DOMAIN.com/Computers/ DBServer1-VM
    DOMAIN.com/Computers/ ApplicationServer1-VM

    In the ad's local security group objects:
    DOMAIN.com/SecureProductionOU/ 'Administrator locally on mailserver1-VM'
    DOMAIN.com/SecureProductionOU/ 'Local on DBServer1-VM administrator.
    DOMAIN.com/SecureProductionOU/ 'Local on ApplicationServer1-VM administrator.

    So I want to affect these security group in each respective name of VMS in VCenter:

    VCenter01.domain.com
    Datacenter1
    HighPerformanceCluster1
    Mailserver1-VM - Local Administrator on mailserver1-VM - role: read-only
    DBServer1-VM - Local Administrator on DBServer1-VM - role: read-only
    ApplicationServer1-VM - Local Administrator on ApplicationServer1-VM - role: read-only

    Any kind of aid and assistance would be appreciated grgeatly.

    Thank you.

    Hi Albert,

    I don't know what you want to check exactly, so I give 2 possible solutions.

    (1) you have a fixed number of names known to virtual machines for which you want to add this permission.

    $targetVM = "MailServer1-VM","DBServer1-VM","ApplicationServer1-VM"
    
    Get-Cluster -Name HighPerformanceCluster1 | Get-VM | `    where {$targetVM -contains $_.Name} | %{    New-VIPermission -Entity $_ -Principal ("DOMAIN\Local Administrator on " + $_.Name) `       -Role (Get-VIRole -Name ReadOnly) -Confirm:$false   }
    

    (2) you want to check for each virtual computer if the security group exist and then add the authorization.

    Get-Cluster -Name HighPerformanceCluster1 | Get-VM | `    Where{Get-QADObject ("DOMAIN\Local Administrator on " + $_.Name) `        -DontUseDefaultIncludedProperties -WarningAction SilentlyContinue `        -ErrorAction SilentlyContinue -SizeLimit 1} | %{    New-VIPermission -Entity $_ -Principal ("DOMAIN\Local Administrator on " + $_.Name) `        -Role (Get-VIRole -Name ReadOnly) -Confirm:$false} 
    

    Note that this requires the Quest AD snap-in must be installed. If you have a version without the Quest AD snap let me know.

Maybe you are looking for

  • Portege 3500 charges begin the files but will not install XP

    When I bought this 3500 he had no operating system.I managed to find a CD-Rom PCMCIA (thanks to this forum) that he will recognize the Windows XP CD.This loads startup files, but when we install Windows, it closes the computer down that request I'm l

  • Upgrade memory for a Satellite Pro 4320

    I own a Satellite Pro 4320. He has the memory factory (64 MB), and I want to develop it. I read in the manual that it is possible to install up to 576 MB. But in other documents and web pages, I read that 320 MB is the maximum memory. Anyone know wha

  • Problem of comunication GPIB (Tektronix TK2465)

    Hello, I'm quite new with labview and I have a problem with the GPIB communication; Dealing with a Tektronix TK2465BCT, I plugged a GPIB-USB-HS to my PC Windows8 adapter, when I try to communicate with the instrument via NI MAX seems to communicate p

  • Error wmilib.sys Service Pack 1

    Whenever I try to install Vista 32 bit Service pack 1. I get the following error message. WMILIB. SYS file is damaged or missing error code 0xc000000f. I had to perform a full restore of the operating system disc such as provided by Dell. If I turn o

  • Acer V3 - 772G - 8.1 Windows, cannot find the boot (like the safe mode) settings

    Hello. I can't find a way to access the startup parameters to access the option "Disable driver signature enforcement" I used the 2 following ways: OPTION 1)   Used a guide from Microsoft (here) and I followed all the steps but I can't find the optio