Add User to Users and Roles per PS

PowerShell script exchange

Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Wed Feb 15, 2017 10:14 am

Hi all,

I want to add users to Veeam and the manually way, over "User an Roles" is quite easy.
Now I was wondering if it would be possible to do this over PowerShell, but I couldn´t find any parameters or documentation for it.
Does anyone know if this is possible?

Thanks for all replys
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Re: Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Thu Feb 16, 2017 1:59 pm

So our company opened a ticket by Veeam and we got the answer, that it is not possible to add users to "Users and Roles" by PS
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Re: Add User to Users and Roles per PS

Veeam Logoby tsightler » Thu Feb 16, 2017 2:37 pm

Yes, support will only give you the official supported options, while sometimes, we here on the forums can get a little more creative and come up with non-supported, but still functional methods of doing things that need to be done. However, just to be clear, are you referring to the users/roles in the Windows based VBR console or in the web based enterprise manager? In enterprise manager the users/roles can be configured via the REST API, which you could do from Powershell as well.
tsightler
Veeam Software
 
Posts: 5064
Liked: 1991 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Mon Feb 20, 2017 7:58 am

I´m referring to the users/roles in the Windows based VBR console.
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Re: Add User to Users and Roles per PS

Veeam Logoby v.Eremin » Mon Feb 20, 2017 11:19 am

Support team were indeed correct in saying that those roles are not configurable via PowerShell at the moment. Thanks.
v.Eremin
Veeam Software
 
Posts: 14704
Liked: 1100 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Add User to Users and Roles per PS

Veeam Logoby tsightler » Mon Feb 20, 2017 2:06 pm

Normally users and roles are recommended to be handled via Windows security groups. You can assign security groups to the roles, then easily add/remove users to the Windows groups problematically. However, for now the initial assignment of roles to security groups can only be done via the GUI, which usually isn't too bad since it's normally a one time operation, however, if it's this latter function that you need to do (perhaps you have many VBR servers or something) I can look into alternative methods to do this.
tsightler
Veeam Software
 
Posts: 5064
Liked: 1991 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Tue Feb 21, 2017 7:06 am

Well that´s exactly what we need. For we try to create a script that does everything automatically and adding users is the last thing thats missing :)
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Re: Add User to Users and Roles per PS

Veeam Logoby tsightler » Tue Feb 21, 2017 3:11 pm

OK, I'll poke at it and see if I can come up with something creative.
tsightler
Veeam Software
 
Posts: 5064
Liked: 1991 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Thu Feb 23, 2017 6:42 am

Thanks - it would be awesome, if you could come up with a solution :)
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Re: Add User to Users and Roles per PS

Veeam Logoby GPS » Mon Feb 12, 2018 10:13 am

tsightler wrote:OK, I'll poke at it and see if I can come up with something creative.

This is exactly what I would like to be able to do. I am using 9.5 update 3. Is there anything to do this or you could supply that would enable me to do this so that it can be automated using PowerShelll?
GPS
Novice
 
Posts: 3
Liked: 1 time
Joined: Mon Feb 12, 2018 9:56 am

Re: Add User to Users and Roles per PS

Veeam Logoby floriangehrig » Wed Feb 14, 2018 1:02 pm

This would be great, i also need this feature.
Any News?
floriangehrig
Novice
 
Posts: 4
Liked: never
Joined: Tue Dec 19, 2017 7:20 am
Full Name: Florian Gehrig

Re: Add User to Users and Roles per PS

Veeam Logoby v.Eremin » Wed Feb 14, 2018 2:16 pm

Those roles still cannot be configured via PowerShell, but consider your feature request noted. Thanks.
v.Eremin
Veeam Software
 
Posts: 14704
Liked: 1100 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Add User to Users and Roles per PS

Veeam Logoby tsightler » Wed Feb 14, 2018 2:26 pm

I did have some success hacking on this, but I guess I never felt it was usable enough to post here. I'll try to find my old scripts and see how close I came to making this usable.
tsightler
Veeam Software
 
Posts: 5064
Liked: 1991 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Add User to Users and Roles per PS

Veeam Logoby tsightler » Thu Feb 15, 2018 1:31 pm 2 people like this post

Due to popular demand, here is an unsupported workaround for adding and removing users/groups to Veeam roles using Powershell. I've tested this a good bit in my own lab and it seems to work without breaking things, however, this is totally a hack, if it does break your environment, you get to keep the pieces. Please test carefully in a development environment and make sure you understand what it is doing if you decide to use this code. Also, because this code manipulates permissions, be careful, it's pretty easy to do things like delete all accounts and leave yourself without any way to access the Veeam console! I know this because I succeeded in breaking auth in my lab when I was developing this code. I believe the code below should be safe, but fair warning, there could be cases that I haven't considered.

I tried to keep the code as simple to use as possible. The code creates two functions, Add-VBRUserToRole and Remove-VBRUserFromRole which can be used as follows:

Code: Select all
Add-VBRUserToRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"
Remove-VBRUserFromRole "[<Domain>]\<User_or_Group_Name>" "<Name_of_Veeam_Role>"

For example, if the Windows domain is "MYDOMAIN" and you want to add the group "Veeam Admins" to the Role "Veeam Backup Administrator" just run the following:

Code: Select all
Add-VBRUserToRole "MYDOMAIN\Veeam Admins" "Veeam Backup Administrator"

You can also add individual users and, if you don't include the domain, the code attempts resolve the user/group to the proper account, whether a local system or domain account.

The code is far from perfect, it has minimal error checking (it will at least keep from adding duplicate users or adding the same user to the same role multiple times), if you feed it an account or role that doesn't exist it will fail in ugly ways (although it doesn't break anything in VBR). Even with these limitations I thought it might still be useful, especially for that initial configuration situation. I've only tested it on 9.5 U3 and it's calling lots of internal functions, but I think it should work on most recent versions without changes, as I don't believe this logic has changed much over the years.

***** Just like with other unsupported workarounds that I have posted previously, please do NOT attempt to open a support case for this code. If it doesn't work for you, feel free to comment here and, as I have time, I can try to help with it, but support will turn away any request for support as we are doing unsupported things here, and that's pretty much the definition of unsupported, i.e. support won't help you. Hopefully we'll have a supported way to set these options in the future. *****

Code: Select all
function Add-VBRUserToRole {
    Param ([string]$UserOrGroupName, [string]$RoleName)
    $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()

    # Find the SID for the named user/group
    $AccountSid = [Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)

    # Detect if account is a User or Group
    If ([Veeam.Backup.Common.CAccountHelper]::IsUser($AccountSid)) {
        $AccountType = [Veeam.Backup.Model.AccountTypes]::User
    } Else {
        $AccountType = [Veeam.Backup.Model.AccountTypes]::Group
    }

    # Parse out full name (with domain component) and short name
    $FullAccountName = [Veeam.Backup.Common.CAccountHelper]::GetNtAccount($AccountSid).Value;
    $ShortAccountName = [Veeam.Backup.Common.CAccountHelper]::ParseUserName($FullAccountName);

    # Check if account already exist in Veeam DB, add if required
    If ($CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)) {
        $Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid.Value)
    } else {
        $Account = $CDBManager.UsersAndRoles.CreateAccount($AccountSid.Value, $ShortAccountName, $FullAccountName, $AccountType);
    }

    # Get the Role object for the named Role
    $Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}

    # Check if account is already assigned to Role and assign if not
    if ($CDBManager.UsersAndRoles.GetRolesByAccountId($Account.Id)) {
        write-host "Account $UserOrGroupName is already assigned to role $RoleName"
    } else {
        $CDBManager.UsersAndRoles.CreateRoleAccount($Role.Id,$Account.Id)
    }

    $CDBManager.Dispose()
}

function Remove-VBRUserFromRole {
    Param ([string]$UserOrGroupName, [string]$RoleName)
    $CDBManager = [Veeam.Backup.DBManager.CDBManager]::CreateNewInstance()

    # Find the SID for the named user/group
    $AccountSid = ([Veeam.Backup.Common.CAccountHelper]::FindSid($UserOrGroupName)).Value

    # Get the Veeam account ID using the SID
    $Account = $CDBManager.UsersAndRoles.FindAccount($AccountSid)

    # Get the Role ID for the named Role
    $Role = $CDBManager.UsersAndRoles.GetRolesAll() | ?{$_.Name -eq $RoleName}

    # Check if name user/group is assigned to role and delete if so
    if ($CDBManager.UsersAndRoles.GetRoleAccountByAccountId($Account.Id)) {
        $CDBManager.UsersAndRoles.DeleteRoleAccount($Role.Id,$Account.Id)
    } else {
        write-host "Account $UserOrGroupName is not assigned to role $RoleName"
    }

    $CDBManager.Dispose()
}
tsightler
Veeam Software
 
Posts: 5064
Liked: 1991 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Add User to Users and Roles per PS

Veeam Logoby joe@kmits » Mon Feb 19, 2018 6:38 am

Thanks @tsightler,

we will try if this Code will work for us. Thanks for your time and solution.
joe@kmits
Novice
 
Posts: 8
Liked: never
Joined: Tue Feb 14, 2017 2:08 pm
Full Name: Joachim hacker

Next

Return to PowerShell



Who is online

Users browsing this forum: No registered users and 8 guests