PowerShell & PowerCLI - Create Local Accounts
Using PowerCli to Create a Backup Local Admin on ESXi
Creating another administrative account on ESXi hosts serves several important purposes related
to security, access control, and operational flexibility in VMware environments:
​
-
Enhanced Security: Creating additional administrative accounts with specific roles and permissions allows you to implement the principle of least privilege. This means each administrator or user account only has access to the resources and privileges necessary to perform their job duties. It reduces the risk of accidental or intentional misuse of administrative privileges, thereby enhancing overall security.
-
Segregation of Duties: By creating separate admin accounts, you can segregate duties among different administrators or teams. For example, you might have separate accounts for server management, network configuration, storage administration, etc. This segregation helps in maintaining accountability and ensures that changes and operations are performed by authorized personnel only.
​
-
Operational Flexibility: Having multiple administrative accounts provides flexibility in managing ESXi hosts. Different accounts can be assigned different levels of access and roles based on specific needs or responsibilities within the organization. This allows for more granular control over who can perform which actions on the hosts.
​
-
Compliance Requirements: Many regulatory standards and best practices recommend or require the segregation of duties and the use of least privilege principles. Creating additional admin accounts helps in meeting these compliance requirements, such as PCI DSS, HIPAA, GDPR, etc.
-
Emergency Access: Having multiple admin accounts ensures redundancy and facilitates emergency access scenarios. If one account becomes unavailable due to issues like password reset problems, having another account ensures continuity of administrative access without disruption to operations.
​
-
Audit and Accountability: Each admin account creates an audit trail of actions performed on ESXi hosts. This audit trail is crucial for security audits, troubleshooting, and compliance reporting purposes. It helps in identifying who performed which actions and when, aiding in incident response and forensic investigations if needed.
In conclusion, creating additional administrative accounts on ESXi hosts is a best practice that enhances security, facilitates operational management, and ensures compliance with regulatory standards. It provides flexibility in managing resources and access permissions while maintaining accountability and reducing security risks.
PowerShell PowerCLI New Admin Account
$VMHost="MyVMHostName"
$Account="BuAdmin"
Connect-VIServer -Protocol https -Server $VMHost -User root -Password "YourPassword"
#Create User with Shell Access
Write-Host "Creating User For: $Account"
New-VMHostAccount -Id $Account -Password "YourNewAccountPassword" -GrantShellAccess
#Assign Administrator Permission
$RootFolder = Get-Folder -Name ha-folder-root
New-VIPermission -Entity $RootFolder -Principal $Account -Role Admin
Disconnect-VIServer $VMHost -Confirm:$false
PowerShell PowerCLI Review VIPermission
$ServerName = "MyVMHostName"
#Connects to ESXi Host
Connect-VIServer -server $Servername -Protocol https -user root -Password "MyPassword"
#Gets a Role Permissions for account root
Write-Output "User Account Permissions / Role"
Get-VIPermission -Principal root | Select Principal, Role
#Gets a List of Roles on ESXi Host
Write-Output "List of Permissions / Roles"
Get-VIRole | Select Name | Format-List
#Gets list of Local Accounts on ESXi
Write-Output "List of Local Accounts"
Get-VMHostAccount | Select Name | Format-List
Disconnect-VIServer $Servername -Confirm:$False