Category: Active Directory

Adding LDAP Users to vSphere SSO Groups Using PowerShell

I got a query from a customer how to add a user from an LDAP directory to an SSO group programmatically. There is no support in native PowerCLI for this that I am aware of but there is an open source module called VMware.vSphere.SsoAdmin which can be used to achieve the goal. I checked with my colleague Gary Blake and he had an example in the Power Validated Solutions Module that I was able to reference.

First off you need to install the VMware.vSphere.SsoAdmin module. This can be done from the PowerShell Gallery.

Install-Module VMware.vSphere.SsoAdmin

Once it is installed you can run the following to add an LDAP user to an SSO group

$vcFqdn = 'sfo-m01-vc01.sfo.rainpole.io'
$vcUser = 'administrator@vsphere.local'
$vcPassword = 'VMw@re1!'
$ldapDomain = 'sfo.rainpole.io'
$ldapUser = 'ldap_user'
$ssoDomain = 'vsphere.local'
$ssoGroup = 'administrators'

$ssoConnection = Connect-SsoAdminServer -Server $vcFqdn -User $vcUser -Password $vcPassword -SkipCertificateCheck
$targetGroup = Get-SsoGroup -Domain $ssoDomain -Name $ssoGroup -Server $ssoConnection
$ldapUserToAdd = Get-SsoPersonUser -Domain $ldapDomain -Name $ldapUser -Server $ssoConnection
$ldapUserToAdd | Add-UserToSsoGroup -TargetGroup $targetGroup

Running the code above results in the LDAP user being added to the SSO administrators group

Quick Fix: The trust relationship between this workstation and the primary domain failed…

We’ve all been there…attempt to open an RDP session to a VM you haven’t connected to in a while and you see the message above! Traditionally the fix for this was to log on as a local admin user, remove the VM from the AD domain (add to workgroup), reboot, log in again, add to AD domain, reboot….well here is a quicker way of resolving the issue with PowerShell.

Modify the username, password and domain controller FQDN and save the following as ResetDomainMembership.ps1 and run on the affected VM as a local administrator


$password = "Password123!" | ConvertTo-SecureString -asPlainText -Force
$username = "domain\administrator"
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
Reset-ComputerMachinePassword -Server dc01.domain.local -credential $credential
shutdown -r -t 0

Tip: If you dont want to include the password in the script as this is a security concern you can use a Read-Host command to prompt the user for the password


$password = Read-Host -asSecureString "Please enter the password"

Enable LDAP Auth for RP4VMs

To avoid using local admin accounts it is recommended to integrate RecoverPoint for Virtual Machines (RP4VMs) with AD/LDAP. RP4VMs supports Role Based Access Control (RBAC) where you can create custom roles and assign those custom roles to an AD user or group. To do this you first need to setup LDAP integration. For simplicity this post uses default passwords for the local RP4VM users. Passwords for all local RP users should be changed once the system has been deployed for security reasons.

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To configure LDAP integration enter config_ldap
  5. To enable Active Directory Support select option 1 and press Enter
  6. Select either LDAP or LDAPs
  7. Enter the primary LDAP server (in my example i use the AD domain as this will allow round robin across all DCs)
  8. Enter the primary LDAP server port
  9. Enter the secondary LDAP server (in my example i left this blank)
  10. Enter the secondary LDAP server port
  11. Enter the base distinguished Name
  12. Enter the search base distinguished name
  13. Enter the bind distinguished name
  14. Enter the password for above AD bind account
  15. Enter a search time limit in seconds. Default is 30. Increase this in larger AD environments

Here is a screenshot of the entire sequence

Once LDAP is configured you then need to create a custom role to assign to an AD user/group.

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To configure a custom role enter add_role
  5. Enter a name for the new role (e.g. RP4VM_Admins)
  6. Select the desired permissions from the available role permissions. Separate selections with a space
  7. Press Enter when done

Here is a screenshot of the process

Once the role is created you can then assign it to your AD user/group

  1. Connect over SSH to a vRPA in the cluster
  2. Enter username security-admin
  3. Enter the password for the above user (default password is security-admin)
  4. To add a user or group enter add_user (the same function is used to add users & groups)
  5. Select option to add either local user, LDAP user or LDAP group
  6. Enter the username/groupname (sAMAccountName format e.g. the group i am using in this example is called RP4VM_Admins)
  7. Enter the role created previously (e.g. RP4VM_Admins)
  8. For enter group names i tried entering the group name in multiple formats, none of which were accepted so i just hit enter without an entry and it completed
    1. The RP4VM documentation is not clear on what the Group Name field is for but I tested to ensure only users from the desired group have access to the vRPA.

Here is a screenshot of the process

Powershell Script – Create AD OUs/Groups/Users

When planning a build of any kind of environment it is good practice to pre plan all user/service/application accounts that you will need. Now you could manually create each user but you’ve probably got better things to do (Beer anyone?!) so a script to do it all helps right?!

Continue reading “Powershell Script – Create AD OUs/Groups/Users”