Cross-domain Powershell with VMware!

      No Comments on Cross-domain Powershell with VMware!

Everybody loves Powershell.
If you don’t, you’re wrong, really. It provides a way around everything!

I’ve been lucky enough to be stuck in high-security environment with multiple domains and no communication allowed between them. No trust, no nothing.¬†

Which of course can be fine security-wise, but horrible from an admin standpoint.

Being the solution-oriented guy that I am, I didn’t really feel like settling into doing one operation in three different domains (this was a test/dev setup with identical users in all domains).

How do we fix that? Powershell with PowerCLI-

PowerCLI is VMware’s PS-module, which is very powerful, though a bit awkward at times.

It does have one nice, often overlooked function:


Invoke-VMscript really does what you think it does. It runs a scriptblock using vmware tools on a remote computer.

What does that mean? It means you have full access to everything if you have access to vCenter.

And how do you use it? Simple! This is just a basic command to copy AD users  group from one user to another.

$addtogroup = @"(Get-ADUser -Identity $fromuser -Properties memberof).memberof | Add-ADGroupMember -Members $touser"@

invoke-VMScript -vm $mgmt -ScriptText "$addtogroup" -ScriptType Powershell -guestuser "$domain\$username" -GuestPassword $pass}

This is a part of a larger context/ecosystem (which I’ll blog about later) involving Keepass to manage passwords and all sorts of bruaha.
But the setup as far as commands go is pretty damn simple. Using @” you can pretty much just do the entire script block to execute remotely, calling it with -ScriptText and -vm is simply the VM you invoke through.

And if you’re thinking ‘well what about security’: I’m not really doing anything here that I wouldn’t have done anyway, I’m merely invoking the command instead of logging on the box and running it manually.

Cool, huh? I think so.

Leave a Reply

Your email address will not be published. Required fields are marked *