-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Add User to Users and Roles per PS
Hi all,
I want to add users to Veeam and the manually way, over "User an Roles" is quite easy.
Now I was wondering if it would be possible to do this over PowerShell, but I couldn´t find any parameters or documentation for it.
Does anyone know if this is possible?
Thanks for all replys
I want to add users to Veeam and the manually way, over "User an Roles" is quite easy.
Now I was wondering if it would be possible to do this over PowerShell, but I couldn´t find any parameters or documentation for it.
Does anyone know if this is possible?
Thanks for all replys
-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Re: Add User to Users and Roles per PS
So our company opened a ticket by Veeam and we got the answer, that it is not possible to add users to "Users and Roles" by PS
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
Yes, support will only give you the official supported options, while sometimes, we here on the forums can get a little more creative and come up with non-supported, but still functional methods of doing things that need to be done. However, just to be clear, are you referring to the users/roles in the Windows based VBR console or in the web based enterprise manager? In enterprise manager the users/roles can be configured via the REST API, which you could do from Powershell as well.
-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Re: Add User to Users and Roles per PS
I´m referring to the users/roles in the Windows based VBR console.
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Add User to Users and Roles per PS
Support team were indeed correct in saying that those roles are not configurable via PowerShell at the moment. Thanks.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
Normally users and roles are recommended to be handled via Windows security groups. You can assign security groups to the roles, then easily add/remove users to the Windows groups problematically. However, for now the initial assignment of roles to security groups can only be done via the GUI, which usually isn't too bad since it's normally a one time operation, however, if it's this latter function that you need to do (perhaps you have many VBR servers or something) I can look into alternative methods to do this.
-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Re: Add User to Users and Roles per PS
Well that´s exactly what we need. For we try to create a script that does everything automatically and adding users is the last thing thats missing
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
OK, I'll poke at it and see if I can come up with something creative.
-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Re: Add User to Users and Roles per PS
Thanks - it would be awesome, if you could come up with a solution
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: Feb 12, 2018 9:56 am
- Contact:
Re: Add User to Users and Roles per PS
This is exactly what I would like to be able to do. I am using 9.5 update 3. Is there anything to do this or you could supply that would enable me to do this so that it can be automated using PowerShelll?tsightler wrote:OK, I'll poke at it and see if I can come up with something creative.
-
- Novice
- Posts: 5
- Liked: never
- Joined: Dec 19, 2017 7:20 am
- Full Name: Florian Gehrig
- Contact:
Re: Add User to Users and Roles per PS
This would be great, i also need this feature.
Any News?
Any News?
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Add User to Users and Roles per PS
Those roles still cannot be configured via PowerShell, but consider your feature request noted. Thanks.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
I did have some success hacking on this, but I guess I never felt it was usable enough to post here. I'll try to find my old scripts and see how close I came to making this usable.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
Due to popular demand, here is an unsupported workaround for adding and removing users/groups to Veeam roles using Powershell. I've tested this a good bit in my own lab and it seems to work without breaking things, however, this is totally a hack, if it does break your environment, you get to keep the pieces. Please test carefully in a development environment and make sure you understand what it is doing if you decide to use this code. Also, because this code manipulates permissions, be careful, it's pretty easy to do things like delete all accounts and leave yourself without any way to access the Veeam console! I know this because I succeeded in breaking auth in my lab when I was developing this code. I believe the code below should be safe, but fair warning, there could be cases that I haven't considered.
I tried to keep the code as simple to use as possible. The code creates two functions, Add-VBRUserToRole and Remove-VBRUserFromRole which can be used as follows:
For example, if the Windows domain is "MYDOMAIN" and you want to add the group "Veeam Admins" to the Role "Veeam Backup Administrator" just run the following:
You can also add individual users and, if you don't include the domain, the code attempts resolve the user/group to the proper account, whether a local system or domain account.
The code is far from perfect, it has minimal error checking (it will at least keep from adding duplicate users or adding the same user to the same role multiple times), if you feed it an account or role that doesn't exist it will fail in ugly ways (although it doesn't break anything in VBR). Even with these limitations I thought it might still be useful, especially for that initial configuration situation. I've only tested it on 9.5 U3 and it's calling lots of internal functions, but I think it should work on most recent versions without changes, as I don't believe this logic has changed much over the years.
***** Just like with other unsupported workarounds that I have posted previously, please do NOT attempt to open a support case for this code. If it doesn't work for you, feel free to comment here and, as I have time, I can try to help with it, but support will turn away any request for support as we are doing unsupported things here, and that's pretty much the definition of unsupported, i.e. support won't help you. Hopefully we'll have a supported way to set these options in the future. *****
I tried to keep the code as simple to use as possible. The code creates two functions, Add-VBRUserToRole and Remove-VBRUserFromRole which can be used as follows:
Code: Select all
Add-VBRUserToRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"
Remove-VBRUserFromRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"
Code: Select all
Add-VBRUserToRole "MYDOMAIN\Veeam Admins" "Veeam Backup Administrator"
The code is far from perfect, it has minimal error checking (it will at least keep from adding duplicate users or adding the same user to the same role multiple times), if you feed it an account or role that doesn't exist it will fail in ugly ways (although it doesn't break anything in VBR). Even with these limitations I thought it might still be useful, especially for that initial configuration situation. I've only tested it on 9.5 U3 and it's calling lots of internal functions, but I think it should work on most recent versions without changes, as I don't believe this logic has changed much over the years.
***** Just like with other unsupported workarounds that I have posted previously, please do NOT attempt to open a support case for this code. If it doesn't work for you, feel free to comment here and, as I have time, I can try to help with it, but support will turn away any request for support as we are doing unsupported things here, and that's pretty much the definition of unsupported, i.e. support won't help you. Hopefully we'll have a supported way to set these options in the future. *****
Code: Select all
function Add-VBRUserToRole {
Param ([string]$UserOrGroupName, [string]$RoleName)
$CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
# Find the SID for the named user/group
$AccountSid = [Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)
# Detect if account is a User or Group
If ([Veeam.Backup.Common.CAccountHelper]::IsUser($AccountSid)) {
$AccountType = [Veeam.Backup.Model.AccountTypes]::User
} Else {
$AccountType = [Veeam.Backup.Model.AccountTypes]::Group
}
# Parse out full name (with domain component) and short name
$FullAccountName = [Veeam.Backup.Common.CAccountHelper]::GetNtAccount($AccountSid).Value;
$ShortAccountName = [Veeam.Backup.Common.CAccountHelper]::ParseUserName($FullAccountName);
# Check if account already exist in Veeam DB, add if required
If ($CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)) {
$Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)
} else {
$Account = $CDBManager.UsersAndRoles.CreateAccount($AccountSid.Value, $ShortAccountName, $FullAccountName, $AccountType);
}
# Get the Role object for the named Role
$Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}
# Check if account is already assigned to Role and assign if not
if ($CDBManager.UsersAndRoles.GetRolesByAccountId($Account.Id)) {
write-host "Account $UserOrGroupName is already assigned to role $RoleName"
} else {
$CDBManager.UsersAndRoles.CreateRoleAccount($Role.Id,$Account.Id)
}
$CDBManager.Dispose()
}
function Remove-VBRUserFromRole {
Param ([string]$UserOrGroupName, [string]$RoleName)
$CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
# Find the SID for the named user/group
$AccountSid = ([Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)).Value
# Get the Veeam account ID using the SID
$Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid)
# Get the Role ID for the named Role
$Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}
# Check if name user/group is assigned to role and delete if so
if ($CDBManager.UsersAndRoles.GetRoleAccountByAccountId($Account.Id)) {
$CDBManager.UsersAndRoles.DeleteRoleAccount($Role.Id,$Account.Id)
} else {
write-host "Account $UserOrGroupName is not assigned to role $RoleName"
}
$CDBManager.Dispose()
}
-
- Novice
- Posts: 8
- Liked: never
- Joined: Feb 14, 2017 2:08 pm
- Full Name: Joachim hacker
- Contact:
Re: Add User to Users and Roles per PS
Thanks @tsightler,
we will try if this Code will work for us. Thanks for your time and solution.
we will try if this Code will work for us. Thanks for your time and solution.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Add User to Users and Roles per PS
I could probably minimize the number of calls to unsupported .NET functions by using standard Powershell cmdlets to get the accounts/groups/SID. If I get some time this week I'll take another stab at a cleaner version but, as far as I can tell, the code above works. Let me know if you have any issues.
-
- Service Provider
- Posts: 19
- Liked: 7 times
- Joined: Jan 24, 2018 12:08 am
- Contact:
Re: Add User to Users and Roles per PS
Looks like this doesn't work across the board. We have a fair bit of B&R servers, and I'm seeing what seems to be an issue with operating system version.
WS2012R2:
WS2012R2:
WS2016:PS C:\Windows\system32> $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
PS C:\Windows\system32>
PS C:\Windows\system32> [Veeam.Backup.Common.CAccountHelper]::FindSid("BUILTIN\Users")
BinaryLength AccountDomainSid Value
------------ ---------------- -----
16 S-1-5-32-545
PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager.UsersAndRoles.FindAccount("S-1-5-32-545")
PS C:\Windows\system32>
Unless there's something obvious I'm missingPS C:\Windows\system32> add-pssnapin veeampssnapin
PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()
PS C:\Windows\system32>
PS C:\Windows\system32> [Veeam.Backup.Common.CAccountHelper]::FindSid("BUILTIN\Users")
BinaryLength AccountDomainSid Value
------------ ---------------- -----
16 S-1-5-32-545
PS C:\Windows\system32>
PS C:\Windows\system32> $CDBManager.UsersAndRoles.FindAccount("S-1-5-32-545")
Id : 6322d6bd-337d-49c4-926e-717416b1d594
Name : Users
Nt4Name : BUILTIN\Users
Sid : S-1-5-32-545
Type : Group
PS C:\Windows\system32>
Who is online
Users browsing this forum: No registered users and 13 guests