Arnim van Lieshout Rotating Header Image

Bulk change your ESX root password

Feb 17th, 2009
by Arnim van Lieshout.

Have you ever been facing your security department demanding you to change your ESX root password?

Well I did. At the current site there’s a strict security policy where passwords must change every 2 months. Offcourse as a good administrator I changed the ESX root account …. ehm …. well …. ehm …. never.
Because we have over 60 ESX hosts and I’m lazy I did some googling and found this thread on the VMTN forum.

I have some problems with the provided example:

  • Password entry is not secure as it is in plain text.
  • There is no error checking. If for some reason the connection to an ESX host fails the script just terminates.
  • The security department responsible for changing the passwords doesn’t have access rights on our vCenter server. So they cannot login to vCenter to retrieve the ESX hosts from it.
  • We have multiple vCenter servers

So I took the example and performed my first real powershell scripting magic on it. First I removed the connection to the vCenter server and replaced it by a textfile. This way the security department could retrieve all ESX hosts from the CMDB and put them in a simple textfile called ‘esxservers.txt’.
Next I’ve thrown in some security for entering passwords and a check to compare the new root password to avoid typos.

Here’s the result.

#
# This script changes the root password on all ESX hosts in the esxservers.txt textfile
# 

# Add VI-toolkit #
Add-PSsnapin VMware.VimAutomation.Core
Initialize-VIToolkitEnvironment.ps1# Get old root credential
$oldrootPassword = Read-Host “Enter old root password” -AsSecureString
$oldrootCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$oldrootPassword

# Get new root credential
$newrootPassword = Read-Host “Enter new root password” -AsSecureString
$newrootCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$newrootPassword
$newrootPassword2 = Read-Host “Retype new root password” -AsSecureString
$newrootCredential2 = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$newrootPassword2

# Compare passwords
If ($newrootCredential.GetNetworkCredential().Password -ceq $newrootCredential2.GetNetworkCredential().Password) {

 # Create new root account object
 $rootaccount = New-Object VMware.Vim.HostPosixAccountSpec
 $rootaccount.id = “root”
 $rootaccount.password = $newrootCredential.GetNetworkCredential().Password
 $rootaccount.shellAccess = “/bin/bash”

 # Get list of Host servers from textfile to change root password on
 Get-Content esxservers.txt | %{
  Connect-VIServer $_ -User root -Password $oldrootCredential.GetNetworkCredential().Password -ErrorAction SilentlyContinue -ErrorVariable ConnectError | Out-Null
  If ($ConnectError -ne $Null) {
   Write-Host “ERROR: Failed to connect to ESX server:” $_
  }
  Else {
   $si = Get-View ServiceInstance
   $acctMgr = Get-View -Id $si.content.accountManager
   $acctMgr.UpdateUser($rootaccount)
   Write-Host “Root password successfully changed on” $_
      Disconnect-VIServer -Confirm:$False | Out-Null
  }
 }
}
Else {
Write-Host “ERROR: New root passwords do not match. Exiting…”
}

Example esxservers.txt:

esx001.yourdomain.local

esx002.yourdomain.local

esx003.yourdomain.local

esx004.yourdomain.local

Download: esx_change_root_password.ps1

Feel free to use it or change it at your own risk.
Remember: I do not take any resposibillites for things that happen to your ESX servers due to using this script.

No related posts.

Posted in: PowerShell, Scripts.
Tagged: · · ·

5 Comments on “Bulk change your ESX root password”

  1. #1 Sven Huisman
    on Feb 17th, 2009 at 4:16 pm

    Great Script, Arnim! And yes indeed, changing root-password is not something VI-admins like to do…

  2. #2 ESX console password aging | Arnim van Lieshout
    on Feb 18th, 2009 at 10:22 am

    [...] I did a post on how to change your ESX root password using a Powershell script and told you that I, as a good administrator, didn’t change my [...]

  3. #3 FAQ » Change all ESX root passwords
    on Jul 8th, 2009 at 7:00 am

    [...] Another great script from Arnim van Lieshout. [...]

  4. #4 Bulk ESX Password Change - VI Toolkit - InterVirt
    on Aug 3rd, 2009 at 9:16 pm

    [...] Bulk ESX Password Change – VI Toolkit Aug.03, 2009 in Scripts http://www.van-lieshout.com/2009/02/bulk-change-your-esx-root-password/ [...]

  5. #5 Support your favourite blog. Vote Now! | Arnim van Lieshout
    on Jan 6th, 2010 at 10:50 am

    [...] Bulk change your ESX root password [...]

Leave a Comment