Batch Changing ESXi Root Passwords
One of my customers wanted to reset the root password on all of their ESXi servers. This can be easily done through a Host Profile (which is particularly useful if you don’t know the root password), but that would require putting the hosts into maintenance mode and waiting for all of those vMotions to apply. There’s no need to put a host into maintenance mode just to change the root password, and so we looked for a better solution.
Jeff found the PowerCLI cmdlet, set-vmhostaccount, and with that, we went to work. The script is actually really simple – it just connects to the ESXi host, then uses the set-vmhostaccount cmdlet to change the password, and records the change.
For flexibility, I included a few variables as parameters. You may want to select only a subset of ESXi servers, and so there are both -hostSuffix and -hostPrefix parameters. If the hosts that you want to target are all called Sac-ESX#.lab.local and the production hosts that you’re not yet ready to touch are all Sac-ESX#.prod.local, you could use the –hostSuffix parameter and specific “.lab.local” in order to only target those hosts. If you also had a buch of SF-ESX#.lab.local hosts that you didn’t want to touch, you could add in the –hostPrefix parameter and specify “SAC” as the prefix. As you can see, that first real command in there gets all hosts that start with the prefix and end with the suffix, with anything in between.
There are also –oldPass and –passString parameters. The –oldPass parameter allows you to specify the old root password. This is required, as the set-vmhostaccount cmdlet requires a direct connection to the ESXi host, rather than a connection that is proxied through vCenter. The –passString parameter is the new password that you want to use for all of the ESXi hosts. I included an example of a complex password in there with a doublequote in the password, as that’s a handy trick for easily escaping the meaning of most special characters. The whole thing could have been in singly quotes, but splitting it up that way allows for the possibility of using a variable other parts of the password.
The last line of the foreach loop "cmd /C pause" generates a "press any key to continue..." prompt. It's functionally identical to using "read-host press any key to continue..." except that it's shorter to type and doesn't put a colon at the end of the prompt (thanks for the tip, Jeff!). I put that in there so that the script would pause after each password reset so that I could watch it for errors. When running a potentially scary script like this in a large environment, I figured that it's better to be safe than sorry!
That’s pretty much it. Just call change-password.ps1 –oldPass OldPassword –passString NewPassword and it will go through and attempt to change the passwords for all ESXi hosts in your inventory. As always, be careful with any scripts that you find on the internet and just because this worked for me, that’s no guarantee that it’ll work for you. Test thoroughly, and if you fix anything, please share what you find!
Jeff found the PowerCLI cmdlet, set-vmhostaccount, and with that, we went to work. The script is actually really simple – it just connects to the ESXi host, then uses the set-vmhostaccount cmdlet to change the password, and records the change.
For flexibility, I included a few variables as parameters. You may want to select only a subset of ESXi servers, and so there are both -hostSuffix and -hostPrefix parameters. If the hosts that you want to target are all called Sac-ESX#.lab.local and the production hosts that you’re not yet ready to touch are all Sac-ESX#.prod.local, you could use the –hostSuffix parameter and specific “.lab.local” in order to only target those hosts. If you also had a buch of SF-ESX#.lab.local hosts that you didn’t want to touch, you could add in the –hostPrefix parameter and specify “SAC” as the prefix. As you can see, that first real command in there gets all hosts that start with the prefix and end with the suffix, with anything in between.
There are also –oldPass and –passString parameters. The –oldPass parameter allows you to specify the old root password. This is required, as the set-vmhostaccount cmdlet requires a direct connection to the ESXi host, rather than a connection that is proxied through vCenter. The –passString parameter is the new password that you want to use for all of the ESXi hosts. I included an example of a complex password in there with a doublequote in the password, as that’s a handy trick for easily escaping the meaning of most special characters. The whole thing could have been in singly quotes, but splitting it up that way allows for the possibility of using a variable other parts of the password.
The last line of the foreach loop "cmd /C pause" generates a "press any key to continue..." prompt. It's functionally identical to using "read-host press any key to continue..." except that it's shorter to type and doesn't put a colon at the end of the prompt (thanks for the tip, Jeff!). I put that in there so that the script would pause after each password reset so that I could watch it for errors. When running a potentially scary script like this in a large environment, I figured that it's better to be safe than sorry!
That’s pretty much it. Just call change-password.ps1 –oldPass OldPassword –passString NewPassword and it will go through and attempt to change the passwords for all ESXi hosts in your inventory. As always, be careful with any scripts that you find on the internet and just because this worked for me, that’s no guarantee that it’ll work for you. Test thoroughly, and if you fix anything, please share what you find!
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,