Thanks for the -confirm:$false statement. But I am still receiving an error on one of my servers everytime I run the script. Like I said before, the root password gets changed but the scripts errors out with this generic message:

"8/22/2008 2:10:28 PM Set-VMHostAccount 52280058-279b-c599-85b6-f1a1a8e22ac7 Access to perform the operation was denied. "

Obviously Access is denied is the issue but if that were the case, why is the password being reset?

I've tried using the -ErrorAction silentlycontinue option but that doesn't work.

Any ideas?

Is there anything in one of the ESX logs ?

You could do

tail -f /var/log/messages

on the ESX server in question.

Do you get a message when you change the root password directly from the console ?

When I change the password on the ESX host itself, there are no errors. We have ~ 80 hosts and I am trying to get away from manually changing every server.

# passwd root

Changing password for user root.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

As you can see, I've tried this many times today:

# cat messages | grep passwd

Aug 21 15:27:02 stpvmwinf041 passwd(pam_unix)[24636]: password changed for root

Aug 21 16:39:22 stpvmwinf041 passwd(pam_unix)[5052]: password changed for root

Aug 21 16:41:08 stpvmwinf041 passwd(pam_unix)[6023]: password changed for root

Aug 21 17:03:45 stpvmwinf041 passwd(pam_unix)[20480]: password changed for root

Aug 22 13:29:59 stpvmwinf041 passwd(pam_unix)[3614]: password changed for root

Aug 22 13:35:07 stpvmwinf041 passwd(pam_unix)[6954]: password changed for root

Aug 22 14:02:14 stpvmwinf041 passwd(pam_unix)[24116]: password changed for root

Aug 22 14:05:51 stpvmwinf041 passwd(pam_unix)[26081]: password changed for root

Aug 22 14:06:38 stpvmwinf041 passwd(pam_unix)[26810]: password changed for root

Aug 22 14:09:17 stpvmwinf041 passwd(pam_unix)[28430]: password changed for root

Aug 22 14:10:28 stpvmwinf041 passwd(pam_unix)[29077]: password changed for root

Aug 22 14:31:31 stpvmwinf041 passwd(pam_unix)[9829]: password changed for root

Aug 22 14:32:19 stpvmwinf041 passwd(pam_unix)[10472]: password changed for root

Aug 22 15:12:39 stpvmwinf041 passwd(pam_unix)[3083]: password changed for root

Aug 22 15:15:49 stpvmwinf041 passwd(pam_unix)[5104]: password changed for root

I just did a few tests and I see errors from the vmware-authd daemon.

Do you see these messages as well in the /var/log/messages file ?

Could that be a possible explanation ?

Perhaps vmware-authd is still trying to connect with the "old" root password.

I've tried using the -ErrorAction silentlycontinue option but that doesn't work.

When this happens you need to use PowerShell's trap keyword to define what happens when an exception is thrown. If you juse do "trap " then it should do what you want. You can read more about it here: http://huddledmasses.org/trap-exception-in-powershell/

Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

Aug 22 14:02:14 stpvmwinf041 vmware-hostd[30534]: Accepted password for user root from 127.0.0.1

Aug 22 14:02:14 stpvmwinf041 passwd(pam_unix)[24116]: password changed for root

Aug 22 14:03:09 stpvmwinf041 vmware-authd(pam_unix)[30534]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root

Aug 22 14:03:11 stpvmwinf041 vmware-hostd[30534]: Rejected password for user root from 127.0.0.1

Aug 22 14:04:03 stpvmwinf041 vmware-authd(pam_unix)[30534]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root

I am seeing exactly what you are. So the first line shows the host accepting the root password vi the connect-viserver in the script. The second line is the accepting the root password change via set-vmhostaccount. And then the vmware-authd authentication failure. Do I need to change the root password value in the Virtual Center database? I believe that is what causing the following:

Aug 22 14:03:11 stpvmwinf041 vmware-hostd[30534]: Rejected password for user root from 127.0.0.1

Since the vmware-authd daemon is responsible for authenticating incoming requests I suspect changing the root password in the VC could solve the problem.

But that probably doesn't solve the problem you are experiencing.

And furthermore how are you going to change the root password in the VC from within PS ?

I would appreciate some feedback on this from the knowledgeable VMware people.

Is this a "gotcha" for this cmdlet ?

LucD,

If I remember correctly, there is no need to modify the root password in Virtual Center because VC doesn't use the account after the intial host additon. There is an account or service that VC uses going forward. So I was wrong previously by saying we needed to update the VC database.

Can someone please give us more insite on the account create initially by VC on the host?

I am going to use the Trap command and will reply with my findings.

Thanks, BR.

Also one more question.

The hosts on this VC range from 3.0.1, 3.0.2 to 3.5. Does this matter? And I don't have the VI Toolit installed on the VC server itself, will this be an issue?

You are right. I was just reading up on the same subject.

And what about the Disconnect-VIServer cmdlet.

Is that perhaps using cached info from the Connect-VIServer ?

Could that explain why the problem manifests itself with the Disconnect-VIServer cmdlet ?

I could use disconnect-viserver $defaultviserver which would definitely drop the current host. Let me try that and let you know how it goes. Maybe I need to put in a sleep command after the password reset to allow the host some time?

Anymore ideas?

Just wanted to let you know this script works, just not on 3.0.1 systems.

Thanks,

BR