vsphere web client

How to restrict vSphere UI access while maintaining vSphere API functionality?

06.08.2021 by William Lam // 2 Comments

Although I come across a fair amount of interesting and challenging questions posed by our customers, I have to say this is certainly one of the more stranger question that continues to surface every so often. The question itself is fairly straight forward, but what I find strange is the reasoning and justifications for needing such a solution.

In case the title was not a give away, the question is having the ability to restrict a set of user(s) from the vSphere UI while still allowing access to the vSphere API for these same user(s). To be clear, the behavior of vSphere is that if you have vSphere UI access, then you also have vSphere API access which is all based on the permissions a user or group has been granted. There is no way to distinguish or limit access between these interfaces including any vSphere SDK or PowerCLI usage which also relies on vSphere API access.

There may be valid use cases for needing such a capability, however from my experience in talking with our customers and field, it feels like this is an attempt to solve organizational and/or process issues. Let give you a few examples that I have come across over the years:

I need to prevent [team|individual] from using the vSphere UI, because they are not using the internal provisioning tools we have built
I need to prevent [team|individual] from using the vSphere UI, because they need to learn how to automate using the vSphere API
I need to prevent [individual] in [team] from using the vSphere UI, because they are making changes to VMs without filing support tickets
I need to prevent [individual] on my [team] from using the vSphere UI, because they are bypassing our change control policies

[Read more...]

Why does Deploy OVF Template operation show vpxd-extension-[uuid]?

04.26.2021 by William Lam // 4 Comments

A question that I had received awhile ago from a customer was how to identify the specific user(s) who have deployed an OVF/OVA? Customers can easily do this by leveraging vCenter Serve Events, which are extremely rich with information that can help answer this and many other questions you might have in your vSphere enviornment.

The first challenge that you will find is that an OVF/OVA import operation is mapped to a generic vCenter TaskEvent, which will require some additional filtering. Secondly, depending on the method that was used to deploy the OVF/OVA such as the vSphere UI or using Automation tools like OVFTool or PowerCLI, you will also slightly diffrent behaviors in terms of the vCenter Server Events that are emitted.

If you deploy an OVF/OVA using the vSphere UI, you may have noticed there are actually two vCenter tasks which are displayed and running simultaneously as shown in the screenshot above. The first task is called "Import OVF package" and you will see that this task is associated with the actual user who initiated the import. The second task called "Deploy OVF template" is then associated with a vCenter system account that handles the actual deployment which will show up with a vpxd-extension-[uuid] username. This occurs because the user who is performing the import is not interacting directly with with vCenter Server, but rather through the vSphere UI which uses a system account to then communicate the operation to vCenter Server.

For this reason, when an OVF/OVA is imported through the vSphere UI, you will need to look at the TaskEvent and filter for the initial import operation. If an OVF/OVA is imported using the vSphere API using something like OVFTool, PowerCLI or any other vSphere SDK, then you will only see the Deploy OVF Template operation and the user associated with that operation is the person who initiated the import.

Using PowerCLI and the Get-VIEvent cmdlet, we can easily filter out these two types of TaskEvents.

Get-VIEvent | where {$_.GetType().Name -eq "TaskEvent" -and $_.FullFormattedMessage -eq "Task: Import OVF package"}

Info                 : VMware.Vim.TaskInfo
Key                  : 2036862
ChainId              : 2036862
CreatedTime          : 4/23/2021 9:30:36 AM
UserName             : vsphere.local\william
Datacenter           : VMware.Vim.DatacenterEventArgument
ComputeResource      : VMware.Vim.ComputeResourceEventArgument
Host                 :
Vm                   :
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : Task: Import OVF package
ChangeTag            :

Get-VIEvent | where {$_.GetType().Name -eq "TaskEvent" -and $_.FullFormattedMessage -eq "Task: Import OVF package"}

Info                 : VMware.Vim.TaskInfo
Key                  : 2036869
ChainId              : 2036869
CreatedTime          : 4/23/2021 9:31:01 AM
UserName             : VSPHERE.LOCAL\vpxd-extension-767f8016-870d-4a98-a457-8247454fa759
Datacenter           : VMware.Vim.DatacenterEventArgument
ComputeResource      : VMware.Vim.ComputeResourceEventArgument
Host                 :
Vm                   :
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : Task: Deploy OVF template
ChangeTag            :

Adding a customized notification banner in the vSphere UI

03.18.2021 by William Lam // 1 Comment

I was recently reminded of an old vCenter Server feature called Message of the Day (MOTD) that I had used quite extensively when I was a customer to easily communicate upcoming patch windows, downtime, updates and other interesting news to my internal users. Back in the day, the vSphere UI was known as the VI Client (C# Client or Thick Client) and once the MOTD is configured, users logging in would see this this custom notification banner across their UI Client.

It has been ages since I had used vCenter's MOTD feature but after sharing this tidbit on Twitter yesterday, I found a mix of folks that were still using this awesome feature including a VMware Cloud on AWS use case to that helped them easily identify a particular environments to users who was just learning about this feature for the first time.

Used this in @vmwarecloudaws to easily identify different environments e.g. Sandbox from Production https://t.co/bu2eaGMJw6 pic.twitter.com/6dMNb940Gb

— Mark McGilly (@MarkMcG_Bel) March 17, 2021

In addition to bringing some awareness to this oldie but goodie feature of vCenter Server, I also wanted to share some details on how you might automate this as I had a few questions about this on Twitter.

Here is a screenshot of my vSphere 7.0 Update 2 environment which has been configured with an MOTD and you can see that it can also properly render emojis, so you can certainly have some fun here 🙂

To configure an MOTD, click on the vCenter Server inventory object and then navigate to Configure->Settings->Message of Day and set or disable the message.

For those that wish to configure the MOTD programmatically, you can do so using the vSphere API with your favorite vSphere SDK of your choice including PowerCLI. You will need to use the UpdateServiceMessage() method which is part of the SessionManager object.

If you wish to view or check whether an MOTD is configured, the following PowerCLI snippet can be used:

Get-AdvancedSetting -Entity $global:DefaultVIServer -Name vpxd.motd | select Value

However, to configure the MOTD, you can NOT use the Set-AdvancedSetting cmdlet as the advanced setting is a read only value and you must use the vSphere API directly.

Using PowerCLI, here is how to view the current MOTD:

$sm = Get-View $global:DefaultVIServer.ExtensionData.Content.SessionManager
$sm.Message

Using PowerCLI, here is how to update/change the MOTD:

$motd = "🚨This is William Lam's environment, it is NOT supported. Use at your own risk 😎"
$sm = Get-View $global:DefaultVIServer.ExtensionData.Content.SessionManager
$sm.UpdateServiceMessage($motd)