PowerCLI

Hi,

In the VMs and Templates view. I have a folder under datacenter with the name desktops. When I want to move a virtual machine into it or out of it I get:

Permission to perform this operation was denied.

You do not hold priviledge "Virtual machine > Inventory > Move" on folder "desktops"

When I rightclick the folder, I do not have the option to set of add permissions to the folder. I have other folders which dont have this problem.

I am the Administrator so logged in with these rights.

Using vCenter 4.1. Any suggestions?

Did you check the log ?

Permission problems most of the time produce a clear message.

You could also try the Set-VIPermission cmdlet on a parent folder with the -Propagate parameter.

That way you should be able to assign you the proper permissions on the folder.

Make sure you select the correct value for the -Role parameter.

If it doesn't work could you do a Get-VIPermission on the folder ?

And also a Get-VIPrivilege -Role with the roles you get back from the previous cmdlet ?

That could perhaps allow us to see why it goes wrong.

____________

Blog: LucD notes

Twitter: lucd22

Hi LucD,

Which log would be the best to look in for this problem?

If it doesn't work could you do a Get-VIPermission on the folder ?

See below

And also a Get-VIPrivilege -Role with the roles you get back from the

previous cmdlet ?

See below

Hope you can help

-

C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> get-folder desktops|Get-VIPermission

EntityId Role Principal IsGroup Propagate

-

Folder-group-v789 FabDesktopWebUsers FAB\DL_VM_Vi... True True

Folder-group-d1 Admin Administrators True True

Folder-group-d1 Fab ESX Administrators FAB\DL_VMPap... True True

-

Fab ESX Administrators

C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> Get-VIPrivilege -Role "Fab ESX Administrators"

Name Id

• --

Anonymous System.Anonymous

View System.View

Read System.Read

Manage custom attributes Global.ManageCustomFields

Set custom attribute Global.SetCustomField

Log event Global.LogEvent

Cancel task Global.CancelTask

Licenses Global.Licenses

Diagnostics Global.Diagnostics

Settings Global.Settings

Act as vCenter Server Global.VCServer

Capacity planning Global.CapacityPlanning

Script action Global.ScriptAction

Proxy Global.Proxy

Disable methods Global.DisableMethods

Enable methods Global.EnableMethods

Service managers Global.ServiceManagers

Create folder Folder.Create

Delete folder Folder.Delete

Rename folder Folder.Rename

Move folder Folder.Move

Create datacenter Datacenter.Create

Remove datacenter Datacenter.Delete

Rename datacenter Datacenter.Rename

Move datacenter Datacenter.Move

Rename datastore Datastore.Rename

Remove datastore Datastore.Delete

Browse datastore Datastore.Browse

Remove file Datastore.DeleteFile

Low level file operations Datastore.FileManagement

Remove Network.Delete

Add standalone host Host.Inventory.AddStandaloneHost

Create cluster Host.Inventory.CreateCluster

Add host to cluster Host.Inventory.AddHostToCluster

Remove host Host.Inventory.RemoveHostFromClu...

Move cluster or standalone host Host.Inventory.MoveCluster

Rename cluster Host.Inventory.RenameCluster

Remove cluster Host.Inventory.DeleteCluster

Modify cluster Host.Inventory.EditCluster

Move host Host.Inventory.MoveHost

System Management Host.Config.SystemManagement

Connection Host.Config.Connection

Maintenance Host.Config.Maintenance

Virtual machine autostart config... Host.Config.AutoStart

Hyperthreading Host.Config.HyperThreading

Storage partition configuration Host.Config.Storage

Security profile and firewall Host.Config.NetService

Memory configuration Host.Config.Memory

Network configuration Host.Config.Network

Advanced settings Host.Config.AdvancedConfig

System resources Host.Config.Resources

Change SNMP settings Host.Config.Snmp

Change date and time settings Host.Config.DateTime

Change settings Host.Config.Settings

Query patch Host.Config.Patch

Firmware Host.Config.Firmware

Add host to vCenter Host.Local.InstallAgent

Manage user groups Host.Local.ManageUserGroups

Create virtual machine Host.Local.CreateVM

Delete virtual machine Host.Local.DeleteVM

CIM interaction Host.Cim.CimInteraction

Create new VirtualMachine.Inventory.Create

Create from existing VirtualMachine.Inventory.CreateF...

Register VirtualMachine.Inventory.Register

Remove VirtualMachine.Inventory.Delete

Unregister VirtualMachine.Inventory.Unregister

Move VirtualMachine.Inventory.Move

Power On VirtualMachine.Interact.PowerOn

Power Off VirtualMachine.Interact.PowerOff

Suspend VirtualMachine.Interact.Suspend

Reset VirtualMachine.Interact.Reset

Answer question VirtualMachine.Interact.AnswerQu...

Console interaction VirtualMachine.Interact.ConsoleI...

Device connection VirtualMachine.Interact.DeviceCo...

Configure CD media VirtualMachine.Interact.SetCDMedia

Configure floppy media VirtualMachine.Interact.SetFlopp...

VMware Tools install VirtualMachine.Interact.ToolsIns...

Defragment all disks VirtualMachine.Interact.Defragme...

Backup operation on virtual machine VirtualMachine.Interact.Backup

Rename VirtualMachine.Config.Rename

Add existing disk VirtualMachine.Config.AddExistin...

Add new disk VirtualMachine.Config.AddNewDisk

Remove disk VirtualMachine.Config.RemoveDisk

Raw device VirtualMachine.Config.RawDevice

Host USB device VirtualMachine.Config.HostUSBDevice

Change CPU count VirtualMachine.Config.CPUCount

Memory VirtualMachine.Config.Memory

Add or remove device VirtualMachine.Config.AddRemoveD...

Modify device settings VirtualMachine.Config.EditDevice

Settings VirtualMachine.Config.Settings

Change resource VirtualMachine.Config.Resource

Upgrade virtual hardware VirtualMachine.Config.UpgradeVir...

Reset guest information VirtualMachine.Config.ResetGuest...

Advanced VirtualMachine.Config.AdvancedCo...

Disk lease VirtualMachine.Config.DiskLease

Swapfile placement VirtualMachine.Config.SwapPlacement

Extend virtual disk VirtualMachine.Config.DiskExtend

Create snapshot VirtualMachine.State.CreateSnapshot

Revert to snapshot VirtualMachine.State.RevertToSna...

Remove Snapshot VirtualMachine.State.RemoveSnapshot

Rename Snapshot VirtualMachine.State.RenameSnapshot

Customize VirtualMachine.Provisioning.Cust...

Clone virtual machine VirtualMachine.Provisioning.Clone

Create template from virtual mac... VirtualMachine.Provisioning.Crea...

Deploy template VirtualMachine.Provisioning.Depl...

Clone template VirtualMachine.Provisioning.Clon...

Mark as template VirtualMachine.Provisioning.Mark...

Mark as virtual machine VirtualMachine.Provisioning.Mark...

Read customization specifications VirtualMachine.Provisioning.Read...

Modify customization specification VirtualMachine.Provisioning.Modi...

Allow disk access VirtualMachine.Provisioning.Disk...

Allow read-only disk access VirtualMachine.Provisioning.Disk...

Allow virtual machine download VirtualMachine.Provisioning.GetV...

Allow virtual machine files upload VirtualMachine.Provisioning.PutV...

Assign virtual machine to resour... Resource.AssignVMToPool

Apply recommendation Resource.ApplyRecommendation

Create resource pool Resource.CreatePool

Rename resource pool Resource.RenamePool

Modify resource pool Resource.EditPool

Move resource pool Resource.MovePool

Remove resource pool Resource.DeletePool

Migrate Resource.HotMigrate

Relocate Resource.ColdMigrate

Query VMotion Resource.QueryVMotion

Create alarm Alarm.Create

Remove alarm Alarm.Delete

Modify alarm Alarm.Edit

Create task Task.Create

Update task Task.Update

Create tasks ScheduledTask.Create

Remove task ScheduledTask.Delete

Run task ScheduledTask.Run

Modify task ScheduledTask.Edit

View and stop sessions Sessions.TerminateSession

Validate session Sessions.ValidateSession

Message Sessions.GlobalMessage

Impersonate user Sessions.ImpersonateUser

Modify intervals Performance.ModifyIntervals

Modify role Authorization.ModifyRoles

Reassign role permissions Authorization.ReassignRolePermis...

Modify permission Authorization.ModifyPermissions

Register extension Extension.Register

Update extension Extension.Update

Unregister extension Extension.Unregister

Assign Baseline VcIntegrity.Baseline.com.vmware....

Manage Baseline VcIntegrity.Baseline.com.vmware....

Configure Service VcIntegrity.General.com.vmware.v...

Remediate Patches and Upgrades VcIntegrity.Updates.com.vmware.v...

Scan Patches and Upgrades VcIntegrity.Updates.com.vmware.v...

View Compliance Status VcIntegrity.Updates.com.vmware.v...

The Default Admin

C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> Get-VIPrivilege -Role Admin

Name Id

• --

Anonymous System.Anonymous

View System.View

Read System.Read

Manage custom attributes Global.ManageCustomFields

Set custom attribute Global.SetCustomField

Log event Global.LogEvent

Cancel task Global.CancelTask

Licenses Global.Licenses

Diagnostics Global.Diagnostics

Settings Global.Settings

Act as vCenter Server Global.VCServer

Capacity planning Global.CapacityPlanning

Script action Global.ScriptAction

Proxy Global.Proxy

Disable methods Global.DisableMethods

Enable methods Global.EnableMethods

Service managers Global.ServiceManagers

Health Global.Health

System tag Global.SystemTag

Global tag Global.GlobalTag

Create folder Folder.Create

Delete folder Folder.Delete

Rename folder Folder.Rename

Move folder Folder.Move

Create datacenter Datacenter.Create

Remove datacenter Datacenter.Delete

Rename datacenter Datacenter.Rename

Move datacenter Datacenter.Move

IP pool configuration Datacenter.IpPoolConfig

Rename datastore Datastore.Rename

Move datastore Datastore.Move

Remove datastore Datastore.Delete

Browse datastore Datastore.Browse

Remove file Datastore.DeleteFile

Low level file operations Datastore.FileManagement

Allocate space Datastore.AllocateSpace

Move network Network.Move

Remove Network.Delete

Configure Network.Config

Assign network Network.Assign

Create DVSwitch.Create

Modify DVSwitch.Modify

Host operation DVSwitch.HostOp

Policy operation DVSwitch.PolicyOp

Port configuration operation DVSwitch.PortConfig

Port setting operation DVSwitch.PortSetting

Delete DVSwitch.Delete

Move DVSwitch.Move

VSPAN operation DVSwitch.Vspan

Create DVPortgroup.Create

Modify DVPortgroup.Modify

Policy operation DVPortgroup.PolicyOp

Scope operation DVPortgroup.ScopeOp

Delete DVPortgroup.Delete

Add standalone host Host.Inventory.AddStandaloneHost

Create cluster Host.Inventory.CreateCluster

Add host to cluster Host.Inventory.AddHostToCluster

Remove host Host.Inventory.RemoveHostFromClu...

Move cluster or standalone host Host.Inventory.MoveCluster

Rename cluster Host.Inventory.RenameCluster

Remove cluster Host.Inventory.DeleteCluster

Modify cluster Host.Inventory.EditCluster

Move host Host.Inventory.MoveHost

System Management Host.Config.SystemManagement

Connection Host.Config.Connection

Maintenance Host.Config.Maintenance

Virtual machine autostart config... Host.Config.AutoStart

Hyperthreading Host.Config.HyperThreading

Storage partition configuration Host.Config.Storage

Security profile and firewall Host.Config.NetService

Memory configuration Host.Config.Memory

Network configuration Host.Config.Network

Advanced settings Host.Config.AdvancedConfig

System resources Host.Config.Resources

Change SNMP settings Host.Config.Snmp

Change date and time settings Host.Config.DateTime

Change PciPassthru settings Host.Config.PciPassthru

Change settings Host.Config.Settings

Query patch Host.Config.Patch

Firmware Host.Config.Firmware

Add host to vCenter Host.Local.InstallAgent

Manage user groups Host.Local.ManageUserGroups

Create virtual machine Host.Local.CreateVM

Reconfigure virtual machine Host.Local.ReconfigVM

Delete virtual machine Host.Local.DeleteVM

CIM interaction Host.Cim.CimInteraction

Create new VirtualMachine.Inventory.Create

Create from existing VirtualMachine.Inventory.CreateF...

Register VirtualMachine.Inventory.Register

Remove VirtualMachine.Inventory.Delete

Unregister VirtualMachine.Inventory.Unregister

Move VirtualMachine.Inventory.Move

Power On VirtualMachine.Interact.PowerOn

Power Off VirtualMachine.Interact.PowerOff

Suspend VirtualMachine.Interact.Suspend

Reset VirtualMachine.Interact.Reset

Answer question VirtualMachine.Interact.AnswerQu...

Console interaction VirtualMachine.Interact.ConsoleI...

Device connection VirtualMachine.Interact.DeviceCo...

Configure CD media VirtualMachine.Interact.SetCDMedia

Configure floppy media VirtualMachine.Interact.SetFlopp...

VMware Tools install VirtualMachine.Interact.ToolsIns...

Defragment all disks VirtualMachine.Interact.Defragme...

Turn On Fault Tolerance VirtualMachine.Interact.CreateSe...

Turn Off Fault Tolerance VirtualMachine.Interact.TurnOffF...

Test failover VirtualMachine.Interact.MakePrimary

Test restart Secondary VM VirtualMachine.Interact.Terminat...

Disable Fault Tolerance VirtualMachine.Interact.DisableS...

Enable Fault Tolerance VirtualMachine.Interact.EnableSe...

Record session on Virtual Machine VirtualMachine.Interact.Record

Replay session on Virtual Machine VirtualMachine.Interact.Replay

Backup operation on virtual machine VirtualMachine.Interact.Backup

Create screenshot VirtualMachine.Interact.CreateSc...

Rename VirtualMachine.Config.Rename

Add existing disk VirtualMachine.Config.AddExistin...

Add new disk VirtualMachine.Config.AddNewDisk

Remove disk VirtualMachine.Config.RemoveDisk

Raw device VirtualMachine.Config.RawDevice

Host USB device VirtualMachine.Config.HostUSBDevice

Change CPU count VirtualMachine.Config.CPUCount

Memory VirtualMachine.Config.Memory

Add or remove device VirtualMachine.Config.AddRemoveD...

Modify device settings VirtualMachine.Config.EditDevice

Settings VirtualMachine.Config.Settings

Change resource VirtualMachine.Config.Resource

Upgrade virtual hardware VirtualMachine.Config.UpgradeVir...

Reset guest information VirtualMachine.Config.ResetGuest...

Advanced VirtualMachine.Config.AdvancedCo...

Disk lease VirtualMachine.Config.DiskLease

Swapfile placement VirtualMachine.Config.SwapPlacement

Extend virtual disk VirtualMachine.Config.DiskExtend

Disk change tracking VirtualMachine.Config.ChangeTrac...

Query unowned files VirtualMachine.Config.QueryUnown...

Create snapshot VirtualMachine.State.CreateSnapshot

Revert to snapshot VirtualMachine.State.RevertToSna...

Remove Snapshot VirtualMachine.State.RemoveSnapshot

Rename Snapshot VirtualMachine.State.RenameSnapshot

Customize VirtualMachine.Provisioning.Cust...

Clone virtual machine VirtualMachine.Provisioning.Clone

Promote disks VirtualMachine.Provisioning.Prom...

Create template from virtual mac... VirtualMachine.Provisioning.Crea...

Deploy template VirtualMachine.Provisioning.Depl...

Clone template VirtualMachine.Provisioning.Clon...

Mark as template VirtualMachine.Provisioning.Mark...

Mark as virtual machine VirtualMachine.Provisioning.Mark...

Read customization specifications VirtualMachine.Provisioning.Read...

Modify customization specification VirtualMachine.Provisioning.Modi...

Allow disk access VirtualMachine.Provisioning.Disk...

Allow read-only disk access VirtualMachine.Provisioning.Disk...

Allow virtual machine download VirtualMachine.Provisioning.GetV...

Allow virtual machine files upload VirtualMachine.Provisioning.PutV...

Assign virtual machine to resour... Resource.AssignVMToPool

Assign VApp to resource pool Resource.AssignVAppToPool

Apply recommendation Resource.ApplyRecommendation

Create resource pool Resource.CreatePool

Rename resource pool Resource.RenamePool

Modify resource pool Resource.EditPool

Move resource pool Resource.MovePool

Remove resource pool Resource.DeletePool

Migrate Resource.HotMigrate

Relocate Resource.ColdMigrate

Query VMotion Resource.QueryVMotion

Create alarm Alarm.Create

Remove alarm Alarm.Delete

Modify alarm Alarm.Edit

Acknowledge alarm Alarm.Acknowledge

Set alarm status Alarm.SetStatus

Disable alarm action Alarm.DisableActions

Create task Task.Create

Update task Task.Update

Create tasks ScheduledTask.Create

Remove task ScheduledTask.Delete

Run task ScheduledTask.Run

Modify task ScheduledTask.Edit

View and stop sessions Sessions.TerminateSession

Validate session Sessions.ValidateSession

Message Sessions.GlobalMessage

Impersonate user Sessions.ImpersonateUser

Modify intervals Performance.ModifyIntervals

Modify role Authorization.ModifyRoles

Reassign role permissions Authorization.ReassignRolePermis...

Modify permission Authorization.ModifyPermissions

Register extension Extension.Register

Update extension Extension.Update

Unregister extension Extension.Unregister

vApp resource configuration VApp.ResourceConfig

vApp instance configuration VApp.InstanceConfig

vApp application configuration VApp.ApplicationConfig

Export VApp.Export

Import VApp.Import

View OVF Environment VApp.ExtractOvfEnvironment

Add virtual machine VApp.AssignVM

Assign resource pool VApp.AssignResourcePool

Assign vApp VApp.AssignVApp

Clone VApp.Clone

Create VApp.Create

Delete VApp.Delete

Unregister VApp.Unregister

Move VApp.Move

Power On VApp.PowerOn

Power Off VApp.PowerOff

Rename VApp.Rename

Create Profile.Create

Delete Profile.Delete

Edit Profile.Edit

View Profile.View

Clear Profile.Clear

Configure service StorageViews.ConfigureService

View StorageViews.View

Assign Baseline VcIntegrity.Baseline.com.vmware....

Manage Baseline VcIntegrity.Baseline.com.vmware....

Configure Service VcIntegrity.General.com.vmware.v...

Remediate Patches and Upgrades VcIntegrity.Updates.com.vmware.v...

Scan Patches and Upgrades VcIntegrity.Updates.com.vmware.v...

Stage Patches VcIntegrity.Updates.com.vmware.v...

View Compliance Status VcIntegrity.Updates.com.vmware.v...

For other folders on the same level there is no problem (like there is a folder named w2k3 )

I did try to propegate from the folder above desktops in the GUI (sorry, not really convinced about my powershell skills to do the set-vipermissions) , but no luck.

Hope you can find something, or tell me to look in which log file.

Addy

These are the vpxd logs in C:\ProgramData\VMware\VMware VirtualCenter\Logs (on a W2K8 box).

You can also consult them via the vSPhere client.

It's sometimes useful to set the messaging level to verbose if you're analysing problems

I'll get back to you after I have analysed the permissions and roles.

____________

Blog: LucD notes

Twitter: lucd22

It looks as if you're picking up the FabDesktopWebUsers role for the desktops folder.

It is not listed but I assume that role doesn't hold the "Move VirtualMachine.Inventory.Move" privilege.

And afaik vSphere uses the principle of least privilege, in other words if you're a member of 2 groups you will get the most restrictive privilege.

Can you try removing your account from the principal (security group FAB\DL_VM_VI...) ?

____________

Blog: LucD notes

Twitter: lucd22

YES!, That did the trick. I removed myself from the group FAB\DL_VM_VI...

And restarted the virtual centre server and it works. Thanks for your perfect help. I am a VCP410, but somehow missed a little bit with the most restrictive privilee part :smileyhappy: ....shame....

Glad to have helped.

To be honest I also learned this the hard way some time ago :smileywink:

____________

Blog: LucD notes

Twitter: lucd22