PowerCLI

Quick Tip - Listing vSphere Global Permissions using PowerShell

04.07.2025 by William Lam // 10 Comments

Parsing complex HTML is definitely challenging, even with PowerShell. I had hoped to use the free tier of ChatGPT and their latest 4o model to help build a PowerShell function for HTML parsing, but I kept running into system limits and the AI often misunderstood what I was asking for.

I finally gave in and purchased the $20 subscription so that I could expand on my 2017 blog post about automating vSphere Global Permissions and add support for listing global permissions, which came at a request from a recent user.

It turns out calling the private vSphere Global Permissions API via the vSphere MOB to show all current vSphere Global Permissions is extremely difficult due to the complex HTML that is rendered by the vSphere MOB. In fact, it took 25 iterations before I finally arrived at the solution using ChatGPT's 4o model. In several of the iterations, it ended up going backwards in progress, so that was pretty annoying!

Not sure if this is the new fancy "vibe coding" trend that I had experienced ... 😅

[Read more...]

Quick Tip - Which vCenter Server Key Provider (KMS) is a VM using?

03.27.2025 by William Lam // 3 Comments

vCenter Server requires a Key Management Service (KMS) for enabling VM Encryption, vTPM, or vSAN Encryption. Users have the choice of configuring the embedded Native Key Provider (NKP) built into vCenter Server and/or use an external KMS with the Standard Key Provider (SKP) option.

If you have more than one KMS configured in vCenter Server, you can specify one of the KMS key providers to be your default, which will automatically be used for any KMS-related activities. You can switch between the default KMS key provider and you can certainly specify a specific KMS key provider when using the vSphere API to provision a VM that will leverage VM encryption.

So how do you figure out which KMS key provider a VM is using?

[Read more...]

Quick Tip - Audit vCenter Server Role & Permission Usage

02.26.2025 by William Lam // 2 Comments

vCenter Server ships out of the box a number of system and custom roles, which can be used or users can create their own custom roles containing the required privileges. If you wanted to understand which roles are actively being used, the following PowerCLI snippet can help provide insights to roles that have been assigned. Furthermore, the script will also output to a file, that contains all he privileges defined for the vCenter Roles that are in active use.

$roles = Get-VIRole
$permissions = Get-VIPermission

$results = @{}
foreach ($permission in $permissions) {
    $role = $permission.Role
    if($results.ContainsKey($role)) {
        $results[$role]+=1
    } else {
        $results[$role]=1
    }
}

Write-Host "`nTotal Roles: $($roles.count)"
Write-Host "Total Roles Used: $($results.count)"
Write-Host "Role Usage:"

$results.GetEnumerator() | Sort-Object -Property Value -Descending

$outfile = "used-roles.txt"
foreach ($key in $results.keys) {
    $role = Get-VIRole $key
    if(!$role.IsSystem) {
        $key | Out-File -Append -LiteralPath $outfile
        "=========================================================" | Out-File -Append -FilePath $outfile
        $role.ExtensionData.Privilege | Out-File -Append -LiteralPath $outfile
        "" | Out-File -Append -LiteralPath $outfile
    }
}

Here is an example output of running the script:

Here is an example output from used-roles.txt file that is generated, which contains the list of privileges for each role that is in use: