PowerShell password change script for local user account on E-Series SANtricity OS

Long story short, password rotation scripts should directly use the SANtricity (or Web Services Proxy, if you can’t get directly to SANtricity) API and not the CLI.

My script can pick either controller and optionally validate the new password. Here I use the admin credentials to set a new password for the monitor user, and then I validate it.

It takes around 0.8s to complete password change this way.

It’s not intended for automated change of the admin account password because if things go wrong you may lock yourself out. But I tried and it worked.

The first run sets the admin account’s password to monitor123, and because validation is enabled, it tries to login using the new password - OK!

The second run sets the password back to what it was, also OK.

Is it safe and reliable?

I think it’s safer than your average CLI script.

If the controller fails between the time the new password is set and the time it’s validated (which is a time span of about 100ms, I think), validation would fail despite the password change succeeding. But then you don’t have to validate and then it’s “if it works, it works”. Still better than your average CLI script.

I ran it 1000 times, 500 times with and 500 times without validation. It took around 13 minutes and 100% of runs succeeded. This doesn’t mean it is fail proof, of course.

Other than that, I haven’t tested it a lot and I’d suggest to use it for non-admin accounts. My use case is to change the monitor account password, the account/role I use in Collector container from my E-Series Performance Analyzer fork.

If you run it attended (as opposed to un-attended), it’s fine to use it for any account. When you change the admin account password have that NetApp KB on how to reset the admin password handy because if admin is locked out you can’t just log in to change it back.

Summary

If you think Ansible can save you time or something like that, use Ansible modules for E-Series to accomplish the same. I couldn’t figure out how to use Ansible with E-Series so I gave up.

An alternative approach is to use PowerShell (or Python) to avoid Ansible. A downside is you must have your own script.

I think PowerShell is easier, faster and better, but Ansible module for E-Series password change may be (who knows if it is) more reliable. At the same time I also think Ansible itself is more likely to break than PowerShell 7.

I’ll post this script to my eseries repository on GitHub once I finalize this improved and more reliable version.