Bulk change your ESX root password

Have you ever been facing your security department demanding you to change your ESX root password?

Well I did. At the current site there’s a strict security policy where passwords must change every 2 months. Offcourse as a good administrator I changed the ESX root account …. ehm …. well …. ehm …. never.
Because we have over 60 ESX hosts and I’m lazy I did some googling and found this thread on the VMTN forum.

I have some problems with the provided example:

  • Password entry is not secure as it is in plain text.
  • There is no error checking. If for some reason the connection to an ESX host fails the script just terminates.
  • The security department responsible for changing the passwords doesn’t have access rights on our vCenter server. So they cannot login to vCenter to retrieve the ESX hosts from it.
  • We have multiple vCenter servers

So I took the example and performed my first real powershell scripting magic on it. First I removed the connection to the vCenter server and replaced it by a textfile. This way the security department could retrieve all ESX hosts from the CMDB and put them in a simple textfile called ‘esxservers.txt’.
Next I’ve thrown in some security for entering passwords and a check to compare the new root password to avoid typos.

Here’s the result.

#
# This script changes the root password on all ESX hosts in the esxservers.txt textfile
#
 

# Add VI-toolkit #
Add-PSsnapin VMware.VimAutomation.Core
Initialize-VIToolkitEnvironment.ps1
# Get old root credential
$oldrootPassword = Read-Host “Enter old root password” -AsSecureString
$oldrootCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$oldrootPassword

# Get new root credential
$newrootPassword = Read-Host “Enter new root password” -AsSecureString
$newrootCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$newrootPassword
$newrootPassword2 = Read-Host “Retype new root password” -AsSecureString
$newrootCredential2 = new-object -typename System.Management.Automation.PSCredential -argumentlist “root”,$newrootPassword2

# Compare passwords
If ($newrootCredential.GetNetworkCredential().Password -ceq $newrootCredential2.GetNetworkCredential().Password) {

 # Create new root account object
 $rootaccount = New-Object VMware.Vim.HostPosixAccountSpec
 $rootaccount.id = “root”
 $rootaccount.password = $newrootCredential.GetNetworkCredential().Password
 $rootaccount.shellAccess = “/bin/bash”

 # Get list of Host servers from textfile to change root password on
 Get-Content esxservers.txt | %{
  Connect-VIServer $_ -User root -Password $oldrootCredential.GetNetworkCredential().Password -ErrorAction SilentlyContinue -ErrorVariable ConnectError | Out-Null
  If ($ConnectError -ne $Null) {
   Write-Host “ERROR: Failed to connect to ESX server:” $_
  }
  Else {
   $si = Get-View ServiceInstance
   $acctMgr = Get-View -Id $si.content.accountManager
   $acctMgr.UpdateUser($rootaccount)
   Write-Host “Root password successfully changed on” $_
      Disconnect-VIServer -Confirm:$False | Out-Null
  }
 }
}
Else {
Write-Host “ERROR: New root passwords do not match.
Exiting…”
}

Example esxservers.txt:

esx001.yourdomain.local

esx002.yourdomain.local

esx003.yourdomain.local

esx004.yourdomain.local

Download: esx_change_root_password.ps1

Feel free to use it or change it at your own risk.
Remember: I do not take any resposibillites for things that happen to your ESX servers due to using this script.

No related posts.

14 Comments on “Bulk change your ESX root password”

  1. #1 Sven Huisman
    on Feb 17th, 2009 at 4:16 pm

    Great Script, Arnim! And yes indeed, changing root-password is not something VI-admins like to do…

  2. #2 ESX console password aging | Arnim van Lieshout
    on Feb 18th, 2009 at 10:22 am

    [...] I did a post on how to change your ESX root password using a Powershell script and told you that I, as a good administrator, didn’t change my [...]

  3. #3 FAQ » Change all ESX root passwords
    on Jul 8th, 2009 at 7:00 am

    [...] Another great script from Arnim van Lieshout. [...]

  4. #4 Bulk ESX Password Change - VI Toolkit - InterVirt
    on Aug 3rd, 2009 at 9:16 pm

    [...] Bulk ESX Password Change – VI Toolkit Aug.03, 2009 in Scripts http://www.van-lieshout.com/2009/02/bulk-change-your-esx-root-password/ [...]

  5. #5 Support your favourite blog. Vote Now! | Arnim van Lieshout
    on Jan 6th, 2010 at 10:50 am

    [...] Bulk change your ESX root password [...]

  6. #6 Mr Gee
    on Sep 7th, 2010 at 4:44 pm

    I’m trying this on vSphere 4.0 and getting the following error:

    Cannot validate argument on parameter ‘Id’. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
    At :line:37 char:26
    + $acctMgr = Get-View -Id <<<< $si.content.accountManager

    Any suggestions?

  7. #7 Arnim van Lieshout
    on Sep 17th, 2010 at 4:34 pm

    I’ll have to look into that one. Haven’t tried this on vSphere yet.

  8. #8 Erik Grootoonk
    on Oct 11th, 2010 at 4:20 pm

    Great script! Saved me a lot af work.

    I’ve used it on VSphere 4.1 and it works fine.

    You got to make sure that you use the last version of PowerCli

  9. #9 Cheng Hsiang
    on Oct 5th, 2011 at 7:53 pm

    Great script.
    Another question….
    Is there a way to pre-configure the password and IP using a script so that I can use a USB stick to boot with ESXi, and use vSphere Center to access the host with the pre-configured password and IP address with user intervention for the initial set, e.g. skip the F2 after the ESXi is first booted.
    Someone has posted a way to do the IP part, but no post for the password part.
    Thanks in advance….

  10. #10 Steve
    on Jan 6th, 2012 at 4:15 pm

    Receiving an error when I run this now…used to work fine. Any ideas?

    Get-View : Cannot validate argument on parameter ‘Id’. The argument is null or
    empty. Supply an argument that is not null or empty and then try the command ag
    ain.
    At C:\Users\sdion\Desktop\esx_root_pass_changer.ps1:43 char:27
    + $acctMgr = Get-View -Id <<<< $si.content.accountManager
    + CategoryInfo : InvalidData: (:) [Get-View], ParameterBindingVal
    idationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom
    ation.ViCore.Cmdlets.Commands.DotNetInterop.GetVIView

    You cannot call a method on a null-valued expression.
    At C:\Users\sdion\Desktop\esx_root_pass_changer.ps1:44 char:23
    + $acctMgr.UpdateUser <<<< ($rootaccount)
    + CategoryInfo : InvalidOperation: (UpdateUser:String) [], Runtim
    eException
    + FullyQualifiedErrorId : InvokeMethodOnNull

  11. #11 Bulk change password for ESX » RO Virtual Machine User Group
    on Jan 11th, 2012 at 3:15 pm
  12. #12 Arnim van Lieshout
    on Jan 30th, 2012 at 11:12 pm

    The error states that $si.content.accountManager does not contain any data.
    Might be related to an incorrect version of PowerCLI. Did you try the latest version?

  13. #13 pramod
    on Sep 7th, 2012 at 7:28 am

    getting the same error :
    $acctMgr = Get-View -Id <<<< $si.content.accountManager

    runnig powercli 5.0.

    Owesome script, but for this error!! please help.

  14. #14 VELOCIGROUP
    on Oct 22nd, 2012 at 11:45 am

    Thanks!
    Very nice script. Just what I was looking for. All the other scripts I found depended on a vCenter server. We have a lot of ESXi stand-alone servers and until now it was a pain changing root password.

Leave a Comment