PowerShell script exchange
Post Reply
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Add User to Users and Roles per PS

Post by joe@kmits »

Hi all,

I want to add users to Veeam and the manually way, over "User an Roles" is quite easy.
Now I was wondering if it would be possible to do this over PowerShell, but I couldn´t find any parameters or documentation for it.
Does anyone know if this is possible?

Thanks for all replys
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Re: Add User to Users and Roles per PS

Post by joe@kmits »

So our company opened a ticket by Veeam and we got the answer, that it is not possible to add users to "Users and Roles" by PS
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler »

Yes, support will only give you the official supported options, while sometimes, we here on the forums can get a little more creative and come up with non-supported, but still functional methods of doing things that need to be done. However, just to be clear, are you referring to the users/roles in the Windows based VBR console or in the web based enterprise manager? In enterprise manager the users/roles can be configured via the REST API, which you could do from Powershell as well.
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Re: Add User to Users and Roles per PS

Post by joe@kmits »

I´m referring to the users/roles in the Windows based VBR console.
veremin
Product Manager
Posts: 20413
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Add User to Users and Roles per PS

Post by veremin »

Support team were indeed correct in saying that those roles are not configurable via PowerShell at the moment. Thanks.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler »

Normally users and roles are recommended to be handled via Windows security groups. You can assign security groups to the roles, then easily add/remove users to the Windows groups problematically. However, for now the initial assignment of roles to security groups can only be done via the GUI, which usually isn't too bad since it's normally a one time operation, however, if it's this latter function that you need to do (perhaps you have many VBR servers or something) I can look into alternative methods to do this.
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Re: Add User to Users and Roles per PS

Post by joe@kmits »

Well that´s exactly what we need. For we try to create a script that does everything automatically and adding users is the last thing thats missing :)
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler »

OK, I'll poke at it and see if I can come up with something creative.
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Re: Add User to Users and Roles per PS

Post by joe@kmits »

Thanks - it would be awesome, if you could come up with a solution :)
GPS
Novice
Posts: 3
Liked: 1 time
Joined: Feb 12, 2018 9:56 am
Contact:

Re: Add User to Users and Roles per PS

Post by GPS »

tsightler wrote:OK, I'll poke at it and see if I can come up with something creative.
This is exactly what I would like to be able to do. I am using 9.5 update 3. Is there anything to do this or you could supply that would enable me to do this so that it can be automated using PowerShelll?
floriangehrig
Novice
Posts: 5
Liked: never
Joined: Dec 19, 2017 7:20 am
Full Name: Florian Gehrig
Contact:

Re: Add User to Users and Roles per PS

Post by floriangehrig »

This would be great, i also need this feature.
Any News?
veremin
Product Manager
Posts: 20413
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Add User to Users and Roles per PS

Post by veremin »

Those roles still cannot be configured via PowerShell, but consider your feature request noted. Thanks.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler »

I did have some success hacking on this, but I guess I never felt it was usable enough to post here. I'll try to find my old scripts and see how close I came to making this usable.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler » 2 people like this post

Due to popular demand, here is an unsupported workaround for adding and removing users/groups to Veeam roles using Powershell. I've tested this a good bit in my own lab and it seems to work without breaking things, however, this is totally a hack, if it does break your environment, you get to keep the pieces. Please test carefully in a development environment and make sure you understand what it is doing if you decide to use this code. Also, because this code manipulates permissions, be careful, it's pretty easy to do things like delete all accounts and leave yourself without any way to access the Veeam console! I know this because I succeeded in breaking auth in my lab when I was developing this code. I believe the code below should be safe, but fair warning, there could be cases that I haven't considered.

I tried to keep the code as simple to use as possible. The code creates two functions, Add-VBRUserToRole and Remove-VBRUserFromRole which can be used as follows:

Code: Select all

Add-VBRUserToRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"
Remove-VBRUserFromRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"
For example, if the Windows domain is "MYDOMAIN" and you want to add the group "Veeam Admins" to the Role "Veeam Backup Administrator" just run the following:

Code: Select all

Add-VBRUserToRole "MYDOMAIN\Veeam Admins" "Veeam Backup Administrator"
You can also add individual users and, if you don't include the domain, the code attempts resolve the user/group to the proper account, whether a local system or domain account.

The code is far from perfect, it has minimal error checking (it will at least keep from adding duplicate users or adding the same user to the same role multiple times), if you feed it an account or role that doesn't exist it will fail in ugly ways (although it doesn't break anything in VBR). Even with these limitations I thought it might still be useful, especially for that initial configuration situation. I've only tested it on 9.5 U3 and it's calling lots of internal functions, but I think it should work on most recent versions without changes, as I don't believe this logic has changed much over the years.

***** Just like with other unsupported workarounds that I have posted previously, please do NOT attempt to open a support case for this code. If it doesn't work for you, feel free to comment here and, as I have time, I can try to help with it, but support will turn away any request for support as we are doing unsupported things here, and that's pretty much the definition of unsupported, i.e. support won't help you. Hopefully we'll have a supported way to set these options in the future. *****

Code: Select all

function Add-VBRUserToRole {
    Param ([string]$UserOrGroupName, [string]$RoleName)
    $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()

    # Find the SID for the named user/group
    $AccountSid = [Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)

    # Detect if account is a User or Group
    If ([Veeam.Backup.Common.CAccountHelper]::IsUser($AccountSid)) {
        $AccountType = [Veeam.Backup.Model.AccountTypes]::User
    } Else {
        $AccountType = [Veeam.Backup.Model.AccountTypes]::Group
    }

    # Parse out full name (with domain component) and short name
    $FullAccountName = [Veeam.Backup.Common.CAccountHelper]::GetNtAccount($AccountSid).Value;
    $ShortAccountName = [Veeam.Backup.Common.CAccountHelper]::ParseUserName($FullAccountName);

    # Check if account already exist in Veeam DB, add if required
    If ($CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)) {
        $Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)
    } else {
        $Account = $CDBManager.UsersAndRoles.CreateAccount($AccountSid.Value, $ShortAccountName, $FullAccountName, $AccountType);
    }

    # Get the Role object for the named Role
    $Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}

    # Check if account is already assigned to Role and assign if not
    if ($CDBManager.UsersAndRoles.GetRolesByAccountId($Account.Id)) {
        write-host "Account $UserOrGroupName is already assigned to role $RoleName"
    } else {
        $CDBManager.UsersAndRoles.CreateRoleAccount($Role.Id,$Account.Id)
    }

    $CDBManager.Dispose()
}

function Remove-VBRUserFromRole {
    Param ([string]$UserOrGroupName, [string]$RoleName)
    $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()

    # Find the SID for the named user/group
    $AccountSid = ([Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)).Value

    # Get the Veeam account ID using the SID
    $Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid)

    # Get the Role ID for the named Role
    $Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}

    # Check if name user/group is assigned to role and delete if so
    if ($CDBManager.UsersAndRoles.GetRoleAccountByAccountId($Account.Id)) {
        $CDBManager.UsersAndRoles.DeleteRoleAccount($Role.Id,$Account.Id)
    } else {
        write-host "Account $UserOrGroupName is not assigned to role $RoleName"
    }

    $CDBManager.Dispose()
}
joe@kmits
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2017 2:08 pm
Full Name: Joachim hacker
Contact:

Re: Add User to Users and Roles per PS

Post by joe@kmits »

Thanks @tsightler,

we will try if this Code will work for us. Thanks for your time and solution.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Add User to Users and Roles per PS

Post by tsightler »

I could probably minimize the number of calls to unsupported .NET functions by using standard Powershell cmdlets to get the accounts/groups/SID. If I get some time this week I'll take another stab at a cleaner version but, as far as I can tell, the code above works. Let me know if you have any issues.
LBegnaud
Service Provider
Posts: 19
Liked: 7 times
Joined: Jan 24, 2018 12:08 am
Contact:

Re: Add User to Users and Roles per PS

Post by LBegnaud »

Looks like this doesn't work across the board. We have a fair bit of B&R servers, and I'm seeing what seems to be an issue with operating system version.

WS2012R2:
PS C:\Windows\system32> $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
PS C:\Windows\system32>
PS C:\Windows\system32> [Veeam.Backup.Common.CAccountHelper]::FindSid("BUILTIN\Users")

BinaryLength AccountDomainSid Value
------------ ---------------- -----
16 S-1-5-32-545


PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager.UsersAndRoles.FindAccount("S-1-5-32-545")
PS C:\Windows\system32>
WS2016:
PS C:\Windows\system32> add-pssnapin veeampssnapin
PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
PS C:\Windows\system32>
PS C:\Windows\system32> [Veeam.Backup.Common.CAccountHelper]::FindSid("BUILTIN\Users")

BinaryLength AccountDomainSid Value
------------ ---------------- -----
16 S-1-5-32-545


PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager.UsersAndRoles.FindAccount("S-1-5-32-545")


Id : 6322d6bd-337d-49c4-926e-717416b1d594
Name : Users
Nt4Name : BUILTIN\Users
Sid : S-1-5-32-545
Type : Group



PS C:\Windows\system32>
Unless there's something obvious I'm missing
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests