For security reasons one of my customer has Lockdown mode activated on all them ESXi server. Unfortunately, with vSphere 5.5 at least, there is no way to configure the lockdown mode on the host profile. So you have to do it manually on each ESXi server that you add to the vCenter.
Then when an administrator want’s to manage something with SSH or vSphere Client directly to the ESXi host, they have first to disable the Lockdown mode. Often they forget to enable the Lockdown mode again.
For this reason I created this script whitch is scheduled on the vCenter Server with the Windows Task Scheduler. It checks every ESXi host if it has the Lockdown Mode enabled and when not, it enables it.
As an “nice to have”, it sends after every schedule an email with the hosts that were configured. If no ESXi server was configured, it sends an email saying everything is ok.
You just have to edit the 6 first variables with your system informations and it works.
Please be aware that I haven’t implemented any error handling in the script. It’s just an quick and dirty script for my own.
Feel free to use it and share it
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
#custom vars +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ $vCenterServer = 'localhost' $Subject = 'Daily LockDownMode-Test' $Recipient = 'your@emailaddress.com' $BCC = 'yoursecond@emailaddress.com' $EMailDomain = 'emailaddress.com' $SMTPServer = 'smtp.emailaddress.com' #global vars +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [array]$global:AllHosts #functions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #function to load the VMware Snapin function LoadSnapin { param ( $Snapin) process { If ((Get-PSSnapin $Snapin -ErrorAction SilentlyContinue) -eq $null) { Write-Host Loading Snapin $Snapin Add-PSSnapin $Snapin -WarningAction SilentlyContinue } } } #function to connect to the vCenter Server function ConnectVI { param ( $vCenterServer) Write-Host 'Connecting to vCenter' $vCenterServer Connect-VIServer $vCenterServer -WarningAction SilentlyContinue } #function to disconnect to the vCenter Server function DisconnectVI { param ( $vCenterServer) Write-Host 'Disconnecting from vCenter' $vCenterServer Disconnect-VIServer $vCenterServer -Confirm:$false -WarningAction SilentlyContinue } #function to get all ESXi Server in the environment function Get-LockDownModeState { Write-Host 'Getting all ESX-Hosts from your environment' $global:AllHosts = Get-VMHost | Get-View #Troubleshooting Output #$AllHosts | Select Name, @{N='LockDownActivated';E={$_.Config.AdminDisabled}} } function Set-LockDownModeState { Write-Host 'Getting all ESX-Hosts witch has no LockDown enabled' $AllhostsToSet = $AllHosts | ?{$_.Config.AdminDisabled -like "false"} #Troubleshooting Output #$Allhoststoset | select Name if (!$Allhoststoset) { #Troubleshooting Output #$AllHostsEnabled = $AllHosts | Select Name, @{N='LockDownActivated';E={$_.Config.AdminDisabled}} | fl Write-Host 'All hosts have the Lockdown Mode activated' Send-MailMessage -Body "All Hosts have the Lockdown Mode activated" -from $env:computername"@$EMailDomain" -SmtpServer $SMTPServer -Subject $Subject -To $Recipient -Bcc $BCC -Priority Low #exit 0 } else { Write-Host 'Each ESX-Server will be configured now' foreach ($ESX in $AllHostsToSet) { #Troubleshooting Output #Write-Host $ESX ($ESX).EnterLockdownMode() [array]$Bodyoutput += $ESX.Name } $Bodyoutput Send-MailMessage -Body "Those Server have been configured: $Bodyoutput" -from $env:computername"@$EMailDomain" -SmtpServer $SMTPServer -Subject $Subject -To $Recipient -Bcc $BCC -Priority High } } # Main ++++++++++++++++++++++++++++++++++++++++++++++ LoadSnapin 'VMware.VimAutomation.Core' ConnectVI $vCenterServer Get-LockDownModeState Set-LockDownModeState DisconnectVI $vCenterServer exit 0 |
