PowerCLI Script – Report, Log, Change the default Active Directory ESX Admin group


Per https://stigviewer.com/stig/vmware_vsphere_6.7_esxi/2021-03-17/finding/V-239294 “When adding ESXi hosts to Active Directory (AD), all user/group accounts assigned to the AD group “ESX Admins” will have full administrative access to the host. If this group is not controlled or known to the System Administrators, it may be used for inappropriate access to the host. Therefore, the default group must be changed to a site-specific AD group and membership therein must be severely restricted”

The Ask:
Have a PowerCLI script report (before and after), log and change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup from the default ESX Admins to an custom Active Directory Secuity Group for all connected ESXi hosts in the vCenter.
Prompt the user for the vCenter and new AD SG.

VMware vCenter 7.0.2 17694817 / ESXi 7.0.2 17867351 / PowerCLI