Change vCenter Role for a list of VMs

Change vCenter Role for a list of VMs

Use case: An existing Active Directory group needs to be re-assigned a different Role with more restrictive permissions on a given list of VMs.

Assumption: New (restricted) role has already been created in vCenter. This is to quickly update the list of VMs with an existing Role.

$ADGroup = 'DOMAIN\ADM-VMManagers'
$NewRole = "VMManagers-RestrictedRole"

# Change this variable to the local path to your text list of VMs
$serverList = Get-Content e:\Powershell\RestrictedRoleVMs-list.txt

foreach ($vmName in $serverList) {
    New-VIPermission -Entity $vmName -Principal $ADGroup -Role $NewRole -Propagate:$false -Confirm:$false
    }

To get a list of inventory objects with the new Role assigned:

Get-VIPermission | where { $_.Role -eq 'VMManagers-RestrictedRole' } | Select entity, role, principal

References: [1], [2]

Comments are closed.