VMware vSphere

Hi Folks,

Have VC 2 running for some time with 8 or so hosts and as it was a standard intall the default permission of the Administrators Group is at the DataCentre Level and Propogated through all hte hosts. As this is mapped the AD Admin group I want to change this as we have a number of Domain Admind in AD but not all are VM guys.

I created another group in AD (VIAdmin) from clone of Admin Group in VC so it has the same rights but I cannot remove the Administrator Group in VC or even take the tick off to propagte and wondered how I can get around this and how others stop all AD Adminitrators having access to the entire DataCentre if they load VI Client.

I was thinking I may have to re-install VC as a user in the New VIADmin group?

Cheers Norm

I almost always remove the domain admins group from the local administrators group of the VC server, this will allow you to control who has access to VC.

You are a star. I did not even consider the access from there rather driving from VC.

Thanks for the great tip.

Cheers Norm

Glad to help, there always seems to be way too many domain admins.

Norm,

You do not want to clone the default Administrator role in VC. You want to add your VIAdmin group to the root of Hosts & Clusters, assigning the default Administrator role... this will then allow you to remove the local server's Administrators group from the root.

Regards,

J

For those out there that are not allowed to modify the members of the Local Administrators group, it looks like all VC wants is at least one account that is local to the server and that has administrative rights, that way there is at least one account that can access VC even if the domain is down.

I've been trying to lock down access to our VC server and found that I could remove the Local Administrators group only after I added the local Administrator account.

You can also use a Local Group (other than Administrators), but it does appear the local administrator account needs to be a member.

Looks like VMware has a hardcoded check for that SID... to make sure you don't accidently cut your own legs off.

One simple thing I tried, just for everyone's information.

Created user account 'VCAdmin'

Added this account in local administrators group of Windows M/C

Now logged into Virtual Center with local administrator account.

Selected Hosts & Cluster, added this VCAdmin under VC administrator role and then only I was able to remove default administrator role.

Thanks this post has helped and given me direction.

Yes, this is best practice... (in my book. remove default which is Local Admin group, assigning a different local group that is limited vs. a larger Domain Admin group. Of course, domain admins can just add themselves to the local group or reset the local account password... if they were trying to "break in" - but I think its still better than nothing)

But that Administrator user must be assigned before removing the other admin group assignment. There must ALWAYS be one assignment of the Administrator role at all times.

Message was edited by:

hicksj

Message was edited by:

hicksj