Creating local ESXi user in a locked down situation and add it to exception list

So my customer asked for a solution to add local users on ESXi hosts that are in lockdown mode. A side quest was to add these to the lockdown exception list. The use case for this is app volumes, they want to be able to keep using them in case the vCenter server goes down. The trick to this that you need to talk to two different viserver entities. The vCenter server and the local ESXi host since you can add those users via vCenter.

Offcourse PowerCLI to the rescue! I decided to do everything in a try catch construction for some error handling and to give some visual output. These cab be stripped if you want but i like some feedback.

Some of the outtakes:

These two disable and enable the current lockdown mode, this is necessary before being able to create the local user.

Some encryption stuff in here but that’s because I dislike having password visible as plain tekst. This first test if the account exists and then sets the password and description. If the user doesn’t exist it will create the user for you.

This gives the newly created or edited user the admin role. If you want to use a custom role this could be added to the script, we decided to go for the admin role since app volumes needs an awful lot of rights anyway. In that case i would recommend to use a variable for role name and create it per host using new-VIrole

This simply adds the user to the lockdown exception list.

So now the complete script:

Future versions of this script will not be edited on here so always check the latest version on github.

 

2 opinions on “Creating local ESXi user in a locked down situation and add it to exception list”

  1. Thanks, I love it. This is exactly what I am looking for. So if I want apply to all ESXi hosts I can just leave $target blank? or do I have to change removet $Target on line 43?

Leave a Reply