If you have a lot of vCenters, maintaining the configuration on them might be a hassle. For managing vCenter SSO settings, there is an open-source module called “VMware.vSphere.SsoAdmin”. This module can be used to maintain settings across all of your vCenters. The module can be downloaded from here > https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/VMware.vSphere.SsoAdmin
Below is an example script to set SSO password policy settings on multiple vCenters.
$all_vcenters = @(
'vc1.test.net',
'vc2.test.net',
'vc3.test.net',
'vc4.test.net',
'vc5.test.net'
)
$vcenter_username = "administrator@vsphere.local"
$vcenter_password = "Password123!"
foreach ($vcenter in $all_vcenters) {
# Connect to SSO instance on vCenter
Connect-SsoAdminServer -Server $vcenter -User $vcenter_username -Password $vcenter_password -SkipCertificateCheck -ErrorAction Stop
# Set SSO policies
# Password policy
# prohibit password reuse
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -ProhibitedPreviousPasswordsCount 5
# minimum numeric character policy
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinNumericCount 2
# minimum special character policy
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinSpecialCharCount 2
# minimum uppercase character policy
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinUppercaseCount 2
# minimum lowercase character policy
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinLowercaseCount 2
# password lifetime
Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -PasswordLifetimeDays 90
# Account lockout policies
# Time interval between failures
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -FailedAttemptIntervalSec 900
# Time when auto unlock is performed
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -AutoUnlockIntervalSec 500
# Maximum number of failed login attempts
Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -MaxFailedAttempts 6
# Disconnect from SSO
Write-Host "Disconnecting from SSO - $vcenter"
Disconnect-SsoAdminServer
}
Kalle's playground 