PowerCLI: one-liner to verify root password on ESXi hosts

There is only one account with full admin privilege on ESXi host before 5.5 and that is the root account. In the financial sector like a bank, you are required to use a password broker to manage your root password. That is, you check in the initial root password to the broker (like cyberark) and it will reset the password regularly. When you need to perform work on the host using root passwords, you will need to check out the password with dual authentication. Of course, this really makes life hard for us admins when we need to perform bulk work that requires root passwords. For example have to move hundreds of host from one vCenter to another.

I use this one-liner below to verify if a host is using the default root password (which were standardized previous). This is useful as part of audit remediation as some hosts may be rebuilt due to an issue and the root passwords was not re-checked in to the broker to be managed. One caveat I found is that for the same PowerCLI session, you should not be logged into any of the vCenters where the hosts are managed via connect-viserver before running this. The h.csv file is just a list of host name with “name” as the column.

import-csv .\h.csv | %{ $err = @() ; connect-viserver $_.name -user root
-password "default" -EA silentlycontinue -EV err ; if ($err.count -gt 0)
{ $_.name | out-file .\hosts_std_root.txt -append }
else {disconnect-viserver $_.name -force -confirm:$false} }

I use this one-liner below to test each ESXi host before I start work AFTER checking out each root passwords. The creds.csv file is list of name,password.

dir creds.csv | % {import-csv .\$($_.name) |
%{ $err = @() ; connect-viserver $_.name -user root -password $_.password -EA silentlycontinue -EV err ;
if ($err.count -gt 0) { $_.name | out-file .\esx_wrong_root.txt -append }
else {disconnect-viserver $_.name -force -confirm:$false} }}

Advertisements