PowerCLI Script – Report, Log, Change the default Active Directory ESX Admin group

PowerCLI

Statement:
Per https://stigviewer.com/stig/vmware_vsphere_6.7_esxi/2021-03-17/finding/V-239294 “When adding ESXi hosts to Active Directory (AD), all user/group accounts assigned to the AD group “ESX Admins” will have full administrative access to the host. If this group is not controlled or known to the System Administrators, it may be used for inappropriate access to the host. Therefore, the default group must be changed to a site-specific AD group and membership therein must be severely restricted”

The Ask:
Have a PowerCLI script report (before and after), log and change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup from the default ESX Admins to an custom Active Directory Secuity Group for all connected ESXi hosts in the vCenter.
Prompt the user for the vCenter and new AD SG.

Tested:
VMware vCenter 7.0.2 17694817 / ESXi 7.0.2 17867351 / PowerCLI 12.4.1.18769701

# PowerCLI Script - Report, log, change the default Active Directory ESX Admin group
# Tested VMware vCenter 7.0.2 17694817  ESXi 7.0.2 17867351  PowerCLI 12.4.1.18769701
# Found https://vmscribble.com/powercli/powercli-script-report-log-change-the-default-active-directory-esx-admin-group/

# Space
Write-Host " "
# Set the Variables
$vCenter = Read-Host "Enter the FQDN of the vCenter"
$newesxAdminsGroup = Read-Host "Enter the new Active Directory Secuity Group"
$ClientPC = Get-Location
$LogFile = "newesxAdminsGroup_changelog_$(get-date -format "MM-dd-yyyy__HHmm").txt"

# Space - Prompt user
Write-Host " "
Read-Host "You will change Config.HostAgent.plugins.hostsvc.esxAdminsGroup from ESX Admins to $newesxAdminsGroup on ALL ESXi hosts in vCenter $vCenter  
Hit ENTER to proceed"
Write-Host " "

# Add Logging  thanks https://github.com/lamw/automated-nested-lab-deployment-on-vmware-cloud/blob/master/nested-sddc-lab-deployment.ps1
Function My-Logger {
    param(
    [Parameter(Mandatory=$true)]
    [String]$message
    )

    $timeStamp = Get-Date -Format "MM-dd-yyyy_hh:mm:ss"

    Write-Host -NoNewline -ForegroundColor White "[$timestamp]"
    Write-Host -ForegroundColor Green " $message"
    $logMessage = "[$timeStamp] $message"
    $logMessage | Out-File -Append -LiteralPath $LogFile
}

$StartTime = Get-Date

Write-Host " "
Write-Host "Creating $LogFile" -ForegroundColor White
Write-Host " "

My-Logger "Connect to the vCenter $vCenter"
Connect-VIServer $vCenter

My-Logger "Creating a CSV BEFORE the change"
Get-VMHost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select Entity, Value | Export-Csv -NoTypeInformation -Path "$vCenter-BEFORE-newesxAdminsGroup_changelog_$(get-date -format "MM-dd-yyyy_HHmm").csv" | Out-File -Append -LiteralPath $LogFile

My-Logger "Performing the change to $newesxAdminsGroup"
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value $newesxAdminsGroup -Confirm:$false | Out-File -Append -LiteralPath $LogFile

My-Logger "Creating a CSV AFTER the change"
Get-VMHost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select Entity, Value | Export-Csv -NoTypeInformation -Path "$vCenter-AFTER-newesxAdminsGroup_changelog_$(get-date -format "MM-dd-yyyy_HHmm").csv" | Out-File -Append -LiteralPath $LogFile

$EndTime = Get-Date
$duration = [math]::Round((New-TimeSpan -Start $StartTime -End $EndTime).TotalMinutes,2)

My-Logger "================================"
My-Logger "Complete. Two CSV's created in $userslocation"
My-Logger "Start Time: $StartTime"
My-Logger "End Time: $EndTime"
My-Logger "Duration: $duration minutes"

# Disconnect from the vCenter
Disconnect-VIServer $vCenter -Confirm:$false