The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can use dir-cli to manage and query the domain functional level of vCenter Server instances.

dir-cli nodes list

Lists all the enhanced linked mode connected vCenter Server systems.

Option Description
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn> Use this option to connect to another vCenter Server to see its replication partners.

dir-cli computer password-reset

Enables you to reset the password of the machine account in the domain.

Option Description
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--live-dc-hostname <server name> Current name of the vCenter Server instance.

dir-cli service create

Creates a solution user. Primarily used by third-party solutions.

Option Description
--name <name> Name of the solution user to create
--cert <cert file> Path to the certificate file. This can be a certificate signed by VMCA or a third-party certificate.
--ssogroups <comma-separated-groupnames> Makes the solution user a member of the specified groups.
--wstrustrole <ActAsUser> Makes the solution user a member of the built-in administrators or users group. In other words, determines whether the solution user has administrative privileges.
--ssoadminrole <Administrator/User> Makes the solution user a member of the ActAsUser group. The ActAsUser role enables users to act on behalf of other users.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service list

List the solution users that dir-cli knows about.

Option Description
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service delete

Delete a solution user in vmdir. When you delete the solution user, all associated services become unavailable to all management nodes that use this instance of vmdir.

Option Description
--name Name of the solution user to delete.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service update

Updates the certificate for a specified solution user, that is, collection of services. After running this command, update the solution user certificate entry in VECS by running the vecs-cli entry create command. See vecs-cli Command Reference.

Option Description
--name <name> Name of the solution user to update .
--cert <cert_file> Name of the certificate to assign to the service.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user create

Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping.

Option Description
--account <name> Name of the vCenter Single Sign-On user to create.
--user-password <password> Initial password for the user.
--first-name <name> First name for the user.
--last-name <name> Last name for the user.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user modify

Modifies the specified user inside vmdir.

Option Description
--account <name> Name of the vCenter Single Sign-On user to modify.
--password-never-expires Set this option to true if you are modifying a user account for automated tasks that have to authenticate to vCenter Server, and you want to ensure that the tasks do not stop running because of password expiration.

Use this option with care.

--password-expires Set this option to true if you want to revert the --password-never-expires option.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user delete

Deletes the specified user inside vmdir.

Option Description
--account <name> Name of the vCenter Single Sign-On user to delete.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user find-by-name

Finds a user inside vmdir by name. The information that this command returns depends on what you specify in the --level option.

Option Description
--account <name> Name of the vCenter Single Sign-On user to find.
--level <info level 0|1|2> Returns the following information:
  • Level 0 - Account and UPN
  • Level 1 - level 0 info + First and last name
  • Level 2 : level 0 + Account deactivated flag, Account locked flag, Password never expires flag, password expired flag and password expiry flag.

The default level is 0.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group modify

Adds a user or group to an existing group.
Option Description
--name <name> Name of the group in vmdir.
--add <user_or_group_name> Name of the user or group to add.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group list

Lists a specified vmdir group.
Option Description
--name <name> Optional name of the group in vmdir. This option allows you to check whether a specific group exists.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli ssogroup create

Create a group inside the local domain (vsphere.local by default).

Use this command if you want to create groups to manage user permissions for the vCenter Single Sign-On domain. For example, if you create a group and then add it to the Administrators group of the vCenter Single Sign-On domain, then all users that you add to that group have administrator permissions for the domain.

It is also possible to give permissions to vCenter inventory objects to groups in the vCenter Single Sign-On domain. See the vSphere Security documentation.

Option Description
--name <name> Name of the group in vmdir. Maximum length is 487 characters.
--description <description> Optional description for the group.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert publish

Publishes a trusted root certificate to vmdir. After running this command, VECS picks up the certificate change after one minute, or you can run the vecs-cli force-refresh command to sync the certificate immediately.

Note: Starting in vSphere 8.0 Update 3, use either the vSphere Client or the API to publish a trusted root certificate and avoid having to restart services.
Option Description
--cert <file> Path to certificate file.
--crl <file> This option is not supported by VMCA.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--chain Specify this option if you are publishing a chained certificate. No option value is needed.

dir-cli trustedcert unpublish

Unpublishes a trusted root certificate currently in vmdir. Use this command, for example, if you added a different root certificate to vmdir that is now the root certificate for all other certificates in your environment. Unpublishing certificates that are no longer in use is part of hardening your environment.

Note: Starting in vSphere 8.0 Update 3, use either the vSphere Client or the API to unpublish a trusted root certificate and avoid having to restart services.
Option Description
--cert-file <file> Path to the certificate file to unpublish
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert list

Lists all trusted root certificates and their corresponding IDs. You need the certificate IDs to retrieve a certificate with dir-cli trustedcert get.

Option Description
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert get

Retrieves a trusted root certificate from vmdir and writes it to a specified file.

Option Description
--id <cert_ID> ID of the certificate to retrieve. The dir-cli trustedcert list command shows the ID.
--outcert <path> Path to write the certificate file to.
--outcrl <path> Path to write the CRL file to. Not currently used.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password create

Creates a random password that meets the password requirements. This command can be used by third-party solution users.
Option Description
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password reset

Allows an administrator to reset a user's password. If you are a non-administrator user who wants to reset a password, use dir-cli password change instead.
Option Description
--account Name of the account to assign a new password to.
--new New password for the specified user.
--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password change

Allows a user to change their password. You must be the user who owns the account to make this change. Administrators can use dir-cli password reset to reset any password.
Option Description
--account Account name.
--current Current password of the user who owns the account.
--new New password of the user who owns the account.