I’ve recently had a couple of questions around automated reporting or changes to the vCenter Server SSO Domain. I’ve seen mention of the VMware.vSphere.SsoAdmin
PowerCLI module, but haven’t had a need to dig into it. This post will explore a couple of things that can be achieved with this module.
Installing the Module & Connecting to an SSO Server
The module is available in the PowerShell Gallery as well as in the PowerCLI-Example-Scripts Repo (https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/VMware.vSphere.SsoAdmin). You can install it with the following syntax:
Install-Module VMware.vSphere.SsoAdmin -Scope:CurrentUser
Once the module is installed we can connect to an SSO server (this is my vCenter Server Appliance).
Connect-SsoAdminServer -Server lab-vcsa-12.example.org -User brian -Password VMware1! -SkipCertificateCheck
A successful connection should return some details about the name/Uri/user that is connected. The following few examples all depend on a successful connection.
Reporting on Group Membership
The first reporting task I was asked about was seeing which users were members of the vsphere.local Administrators group. We can do this by finding the group, then piping that to another cmdlet provided by this module.
Get-SsoGroup -name Administrators -Domain vsphere.local | Get-SsoPersonUser
Here is a sample output:
Name Domain Locked Disabled PasswordExpirationRemainingDays
---- ------ ------ -------- -------------------------------
Administrator vsphere.local False False -1
test1 localos False False -1
brian example.org False False 35
lop localos False False -1
Changing the administrator@vsphere.local
password
One request I received was around the ability to programmatically change the password for the administrator@vsphere.local
account. We can do this with a single line of code:
Get-SsoPersonUser -Name administrator -Domain vsphere.local |Set-SsoPersonUser -NewPassword VMware1!VMware1!
In the above example, we are finding a specific user (with Get-SsoPersonUser
) then we pipe that output to Set-SsoPersonUser
and specify our NewPassword
value.
Once the password is changed, we can login to the UI or with Connect-ViServer to validate that our credentials are successfully updated.
Updating the Active Directory over LDAP Identity Source password
From time to time it may be necessary to update the username/password used to bind to an active directory domain in the vCenter identity sources list. If we have a small number of vCenter Servers, we could probably do this in the GUI as shown in the screenshot below:
However, for a large number of vCenter Servers, or frequent password rotation, automation may be helpful. Fortunately this module can help update this identity source as well.
Get-IdentitySource -External | ?{$_.name -eq 'example.org'} |
Set-LDAPIdentitySource -Username 'EXAMPLE\svc-ldapbind-a' -Password 'VMware1!'
In the above example we are getting external identity sources only, then using where-object to filter to a specific identity source (this environment has multiple LDAPS directories which require different bind users) then set that identity source updating both the username and password values. This is actually better than the GUI! When we make the same change in the GUI we also need to provide the certificate. With this module we can update only the necessary values and leave the existing certificate. (Note: this module is also capable of updating the certificate if needed.)
Conclusion
The VMware.vSphere.SsoAdmin
module is very powerful and worth a closer look.