{"id":2052,"date":"2024-08-30T09:14:53","date_gmt":"2024-08-30T13:14:53","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=2052"},"modified":"2024-08-30T09:14:53","modified_gmt":"2024-08-30T13:14:53","slug":"automate-workaround-for-esx-admins-group","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/scripting\/automate-workaround-for-esx-admins-group\/","title":{"rendered":"Automate workaround for ESX Admins group"},"content":{"rendered":"\n<p>In a recent security advisory (VMSA-2024-0013), there is a workaround listed for hosts older than ESXi 8.0u3 (<a href=\"https:\/\/knowledge.broadcom.com\/external\/article\/369707\">https:\/\/knowledge.broadcom.com\/external\/article\/369707<\/a>).  This knowledge base article lists a few advanced settings and an <code>esxcli<\/code> command which can be ran to apply this workaround.  Setting advanced settings and invoking <code>esxcli<\/code> are two things that PowerCLI can do very well.  The following code sample highlights those commands and helps automate the process listed in the knowledge base article.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$vmhosts = Get-Cluster h243-cluster | Get-VMHost\nforeach ($vmHost in $vmhosts) {\n  Write-Host \"Processing host $($vmHost.Name)\"\n  # Get advanced setting, if it is not the desired value, set it to the desired value.\n  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd | ?{$_.Value -ne $false} | Set-AdvancedSetting -Value $false -Confirm:$false\n  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.vimsvc.authValidateInterval | ?{$_.Value -ne 90} | Set-AdvancedSetting -Value 90 -Confirm:$false\n  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroup | ?{$_.Value -ne ''} | Set-AdvancedSetting '' -Confirm:$false \n\n  # Find and remove the default admin group if present (ends with \\esx admins)\n  $esxcli = $vmhost | Get-EsxCli -V2\n  $esxcli.system.permission.list.Invoke() | ?{$_.IsGroup -eq $true -AND $_.Principal -match &#91;regex]::escape('\\esx^admins')+'$' -AND $_.Role -eq 'Admin' } | %{\n    write-host \"Found group $($_.Principal) and will attempt to remove.\"\n    $removeGroup = $esxcli.system.permission.unset.CreateArgs()\n    $removeGroup.id = $_.Principal\n    $removeGroup.group = $_.IsGroup\n    $esxcli.system.permission.unset.invoke($removeGroup)\n  }\n\n  # List current system permissions for reference\n  $esxcli.system.permission.list.Invoke()\n} # end vmhosts loop<\/code><\/pre>\n\n\n\n<p>For more detail on these PowerCLI cmdlets, check out the documentation links below: <br>&#8211; <a href=\"https:\/\/developer.broadcom.com\/powercli\/latest\/vmware.vimautomation.core\/commands\/get-advancedsetting\">Get-AdvancedSetting<\/a><br>&#8211; <a href=\"https:\/\/developer.broadcom.com\/powercli\/latest\/vmware.vimautomation.core\/commands\/set-advancedsetting\">Set-AdvancedSetting<\/a><br>&#8211; <a href=\"https:\/\/developer.broadcom.com\/powercli\/latest\/vmware.vimautomation.core\/commands\/get-esxcli\">Get-EsxCli<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a recent security advisory (VMSA-2024-0013), there is a workaround listed for hosts older than ESXi 8.0u3 (https:\/\/knowledge.broadcom.com\/external\/article\/369707). This knowledge base article lists a few advanced settings and an esxcli command which can be ran to apply this workaround. Setting &hellip; <a href=\"https:\/\/enterpriseadmins.org\/blog\/scripting\/automate-workaround-for-esx-admins-group\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-2052","post","type-post","status-publish","format-standard","hentry","category-scripting","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=2052"}],"version-history":[{"count":2,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2052\/revisions"}],"predecessor-version":[{"id":2062,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2052\/revisions\/2062"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=2052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=2052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=2052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}