Tag Archives: vcenter

PowerCLI: Script to reboot each ESXi hosts

I realized that having done this for a few year, I never really nailed down a script to do this properly. It is very common as a vSphere admin to have to reboot your ESXi hosts after a configuration change or for patching.

Below is a first draft, not pretty code-wise but its a working operational script. I hope to improve on it over time. The basic flow of the script is as follows:

  • You establish a connection to the vCenter server first before running the script
  • You submit an input file which is list of ESXi host names
  • The script reads the list and does the following for each host
    • Sets the host in maintenance mode and counts down to 30 minutes. If the hosts does not get into maintenance mode by then the script terminates and you need to figure out why.
    • If the host goes into maintenance mode, it then force reboots the hosts and waits for 30 minutes again. Again if the host doesn’t come up by 30 minutes, the script terminates and you need to fix the host issue.
    • Lastly, once the host is back online, it sets the host to connected state and works on the next host in the loop.

Read the rest of this entry »

Leave a comment

Posted by on November 5, 2017 in powershell, vmware


Tags: , ,

VMware: Goodbye to the fat client

For the longest time VMware administrators have been using the C# VSphere clients or “fat client”. Over the years, it continues to plague us with hidden confirmation dialog boxes, error dialog boxes that pop-up continuously, version incompatibilities on the same computer and application crashes.

Worst of all are the need to test, package and supply new versions of the client whenever the infrastructure is upgrade. Its not a big deal if the only persons to use it are your own VMware administrators. But in big organisation with VDI in the mix, you need to hand off new versions to desktop support and even end users themselves. Worst of all, is the need for a clean uninstall of the older versions before the new versions can be installed or else you may end up with knackered computer which won’t run either versions. Read the rest of this entry »

Leave a comment

Posted by on May 20, 2016 in vmware


Tags: ,

vCenter Server Appliance 6.0 with vPostgres

Good news to some folks is that vCenter Server Appliance 6.0 is now on par with its former enterprise siblings, namely, vCenter on Windows + SQL or vCSA with Oracle.

For big enterprises, it is very common to install vCenter into a Windows machine and setting up the databases with your DBA admins on SQL. One of the main problem with this is the process of getting a database or expanding databases when you run of out of space. It can take time to setup a new vCenter or you often end up expanding the databases with an incident ticket. The other problem is that because the SQL database is managed by the DBA team, you are dependent on that team’s effectiveness to keep your vCenter running. There are times within busy periods of a DBA teams where you might find the vCenter service stopping or failing due to a stuck job or running out of space on SQL but your team was not alerted in time causing an incident.

Thus running your own vCSA, if you have a big enough cloud team, is probably a better solution in keep the lights up for your vCenter server, especially if they are consumed by VDI/Desktop teams and workflow applications like Orchestrator.

Of course, the challenge for Windows folks like me is having to master a new Linux OS and vPostgres database for optimization and troubleshooting. But these are alwasy good challenges to have.

Leave a comment

Posted by on March 23, 2016 in vmware


Tags: , ,

PowerCLI: Managing roles, permissions and privileges in vCenters

The following scripts allows you to add new roles, new permissions and add/remove privileges from existing roles in your vcenters. This is useful if you need to modify the role bases access control (RBAC) of a list of your vCenters. For new permission, I have defaulted to add them at the root folder AKA VC level and set to propagate, since this is the most common requirement. You can modify it for more flexibility as required.

The format of the XML file looks like this. ¬†Do remember that many privileges are related, so setting just one may not be enough, you must test it out first before rollout. For example, to provide privilege for a role to delte alarm you need two privileges, “Remove alarm” & “Set alarm status”. Also notice that privilege ID is used instead of full description this is a less error prone approach.

To get the privilege ID, run “get-viprivilege “privilege name” | ft name, id

<?xml version="1.0" encoding="utf-8" ?>
Role action: valid verbs = AddRole, Add, Remove
   <vCenter Name="vcenter1"></vCenter>
   <Role Name="Role1" Action="Remove">
   <Role Name="Role2" Action="Add">
   <Role Name="TEST2" Action="AddRole">
   <Permission Principal="\user1" Role="TEST2" />

The script is below loops through the xml and does work accordingly. The logging is very basic, you can have more error trapping if you want and better logging functions.


   Script to add roles, permissions and add/remove privileges in vCenters

   This script is used to add new roles, add new permission and update (add/remove) privileges for roles already defined in vCenters. For new permissions, it will default to root folder (i.e. VC level) and propagate.

 .PARAMETER rbacxml
   XML file that contains required updates (read XML file for format)

   # Update roles in XML file
   Update-RBAC.ps1 .\rbac.xml


[string]$ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Path -Parent
[string]$ScriptFile = Split-path -Path $MyInvocation.MyCommand.Path -Leaf
[string]$ScriptName = []::GetFilenameWithoutExtension($ScriptFile)
[string]$LogFileName = "$ScriptName-" + (Get-Date -Format "yyyyMMdd_HHmmss") + ".log"
[string]$LogFile = Join-Path $ScriptPath "$LogFileName"

[xml]$rbac = get-content $rbacxml ;

if ($global:defaultviservers.count -gt 0) { disconnect-viserver * -confirm:$false -force }

foreach ( $vc in $rbac.inventory.vcenters.vcenter) {
  connect-viserver $
  " ***** $($ **** " | out-file $Logfile -append

  foreach ( $role in $rbac.inventory.roles.role) {

    if ($role.action -match "addrole") {

      # Only need to add new role once
      if ((Get-virole $ -ea silentlycontinue).name -ne $ {
        "Role = $($ Adding New role"
        New-VIRole $ -ea silentlycontinue | out-null
        if ($error.count -eq 0) { "SUCCESS: Add Role = $($" | out-file $LogFile -append }
        else { "ERROR Adding New Role: Role = $($" | out-file $LogFile -append }

    # Only apply if the role is valid for this vCenter
    if (get-virole $ -server $ -ea silentlycontinue) { 

      foreach ($privilege in $role.privilege) {
        if ($role.action -match "add") {
          "Role = $($ Adding Privilege = $privilege"
          Set-VIRole -Role $ -AddPrivilege (Get-VIPrivilege -id $privilege) -ea silentlycontinue | out-null
          if ($error.count -eq 0) { "SUCCESS: Role = $($, AddPrivilege = $privilege" | out-file $LogFile -append }
          else { "ERROR Adding privilege: Role = $($, AddPrivilege = $privilege" | out-file $LogFile -append }
        elseif ($role.action -match "remove") {
          "Role = $($ Removing Privilege = $privilege"
          Set-VIRole -Role $ -RemovePrivilege (Get-VIPrivilege -id $privilege) -ea silentlycontinue | out-null
          if ($error.count -eq 0) { "SUCCESS: Role = $($, RemovePrivilege = $privilege" | out-file $LogFile -append }
          else { "ERROR Removing privilege: Role = $($, RemovePrivilege = $privilege" | out-file $LogFile -append }

 foreach ( $perm in $rbac.inventory.permissions.permission) {

   if ($perm.role) {
     "New Permission: Principal = $($perm.principal), Role = $($perm.role)"
     New-VIPermission -role $perm.role -principal $perm.principal -entity (get-folder -NoRecursion) -Propagate $true -ea SilentlyContinue | out-null
     if ($error.count -eq 0) { "SUCCESS: Permission added for: Principal = $($perm.principal), Role = $($perm.role), entity = root, propagate = true" | out-file $LogFile -append }
     else { "ERROR Adding permission: Principal = $($perm.principal), Role = $($perm.role)" | out-file $LogFile -append }

 disconnect-viserver $ -confirm:$false -force


"Please checke $Logfile for complete status"

Leave a comment

Posted by on March 12, 2015 in powershell, Scripts, vmware


Tags: ,

VMware: ESXi host have permission error in hardware status and inventory not foun

Recently, one of the ESXi host went down due to a hardware issue, but after we recovered the host and reconnected the host, I get the following error:

– In Hardware status page, I get “you do not have permission for this command”
– In inventory search, I can find the ESXi host, but when I click to it, it says “This entity does not exist in vCenterXXXXX” Read the rest of this entry »

Leave a comment

Posted by on July 25, 2013 in vmware


Tags: , ,