VMware vSphere

I am attempting to change the permission's on my vSphere vCenter to remove the local administrators group and put in a VMware Administrators AD group and the local server Administrator account.

I can pull in the domain group okay, but cannot pull in the local Administrator account. I cannot even access the local accounts on the server, I get the error message; A general system error occurred: error accessing directory. I cannot remove the Administrators group either.

The server is running Windows 2008 R2 with SQL 2008 SP1, I am at 4.0.0 (208111).

Any ideas,

Thanks

you've added in the new group and gave it the administrator role at the vCenter level, correct? You are also in the group, correct? Have you tried to close out the vSphere4 Client, then connect back in and delete the administrators group?

also, if you haven't already, disable UAC

Yes, I am in the domain admin group so I am in the default local Administrators group.

The odd thing is I can add and remove the domain groups but not the local groups from server (that’s has got to be a clue, I just haven’t found it yet). The error pops up when you try to browse the accounts on the local server.

I disabled the UAC, so no more prompts.

I know SQL 2008 has new security rules, but I have not tried to elevate the privileges and tried it yet.

the administrator role in vCenter doesn't care whether or not you are a domain admin or domain user. What matters is that the AD Group in which you give the administrator role too, must have you in it. Does it?

I can pull in the domain group okay, but cannot pull in the local Administrator account.

That's right, can't be done. It's a built in, default account. You cannot remove it.

maybe I'm confused. My understanding was the OP was trying to remove the administrators group out of vCenter. Is this not the case? And if you remove that administrators group out of vCenter before you add any others to the administrator role, well, then you're in a bit of a pickle.

Why am I not be able to pull in accounts from the local server into the vSphere vCenter system, I can do it in my 2.5 vcenter environment. (They are completely separate).

My goal is to add the local server Administrator to the vCenter Administrator role, in case the system falls off the domain.

I have the domain group on the vCenter environment in an Administrator role, that works okay.

I want to remove the Administrator(s) which I am assuming is from the local server, off the system as an Admistrator role because it has my SQL DBA in it. I should leave him in that role to manage SQL on the server.

I was able to do this on my vcenter 2.5 system.

Why am I not be able to pull in accounts from the local server into the vSphere vCenter system,

Have you verified that you can access the local accounts using ordinary Windows Computer Management? Just to make sure there is no Windows permission problem that keeps you from touching the local SAM database.

I want to remove the Administrator(s) which I am assuming is from the local server, off the system as an Admistrator role because it has my SQL DBA in it. I should leave him in that role to manage SQL on the server.

You are of course aware of that if the DBA wants he can gain access to the vCenter since he is in the Administrators local group? But if you just do not want him to accidently access the vmware enviroment it should be fine.

The Administrators group which by default has the Administrator Role in vCenter is the built in local one.

If you can access the Users and Groups management page, could you try to create a new local group, adding the local Administrator to the group and then try to give the new group the Administrator Role in vCenter? If there is any trouble with giving access directly to accounts.

Thanks for the answers,

I don't have any problem accessing the security profiles of the server either locally or remote.

It is just that the vsphere client whether running on the server or remote cannot access the local system security to pull in any accounts.

VMware tech support punted the call when they found the server at Windows 2008 R2 / SQL 2008 SP1, this is support on ESX 4.1. I cannot go to 4.1 until after I implement an EMC Avamar setup the second week of Sept.

I guess I will have to live with the DBA able to stir the pot until then.

I just hope this is not systemic of a deeper problem.

Thanks,

just curious... what happens if you change your AD timeout settings in vCenter to 120 seconds, as well as changing the number from say 5000 to maybe 10000 for you query limit?

Home-vCenter Server SettingsActive Directory

The Timeout was already at 120, the change to 10000 made no difference.

Thanks,