This Question is Possibly Answered
1 "correct" answer available (10 pts)
9 Replies
Last post:
Oct 31, 2009 10:22 AM by
Texiwill
Templates are harder to administer. We give people VM User, to power on / power off their VM's. They are Windows admins. Maybe some companies have a need to allow more people access to deploy their own templates, but that is opening yourself up. I prefer to keep it limited, they request a VM, I give them what they ask for, and they can do whatever they want inside the VM.
I figure all they need (once the VM is deployed) is to power it on if it's off, or reset if it gets stuck. I experimented with VM Admin, but templates is tricky, because you have to give them top level access to the datacenter where their VM is, but not propagate. Then drill down to where the VM lives in a Resource pool or ESX host. Then give them rights to that machine / pool. And sometimes they still can't get proper authority to deploy templates, because they need root level to the SAN storage. I tried on different hosts and its a nighmare to manage.
I found it easier to just deploy whatever template they want (you can even schedule it) and if you design the templates properly they can build themselves you just initiate the sequence, and after 30 minutes, it adds itself to the network, reboots, updates itself.. all automated, then its ready.
But I see your delima, It's tough to know who to trust, but I say keep it confined to a very small number of people for deployments and VM Console access, you are just asking for trouble if you get someone that doesn't know what they are doing.. and there are MANY that say they understand, to find out they don't really understand at all. That's ok if you do it to your own VM, but I don't want to come in on a Sat at 4:00am to fix an issue because somebody 'thought' they had it.
I figure all they need (once the VM is deployed) is to power it on if it's off, or reset if it gets stuck. I experimented with VM Admin, but templates is tricky, because you have to give them top level access to the datacenter where their VM is, but not propagate. Then drill down to where the VM lives in a Resource pool or ESX host. Then give them rights to that machine / pool. And sometimes they still can't get proper authority to deploy templates, because they need root level to the SAN storage. I tried on different hosts and its a nighmare to manage.
I found it easier to just deploy whatever template they want (you can even schedule it) and if you design the templates properly they can build themselves you just initiate the sequence, and after 30 minutes, it adds itself to the network, reboots, updates itself.. all automated, then its ready.
But I see your delima, It's tough to know who to trust, but I say keep it confined to a very small number of people for deployments and VM Console access, you are just asking for trouble if you get someone that doesn't know what they are doing.. and there are MANY that say they understand, to find out they don't really understand at all. That's ok if you do it to your own VM, but I don't want to come in on a Sat at 4:00am to fix an issue because somebody 'thought' they had it.
Hi again,
i do understand that vi does give a additional challenge but what i understand also is that you vmadmin guy do have rights to every machine on your Cluster..? Or you have right to see and them and manage the setting but Active Directory rights limit you on the windows side? i mean there must be someplace where the vm guy isn't god
Not many but some place... or i'm the only poor soul around ? ehhe
i do understand that vi does give a additional challenge but what i understand also is that you vmadmin guy do have rights to every machine on your Cluster..? Or you have right to see and them and manage the setting but Active Directory rights limit you on the windows side? i mean there must be someplace where the vm guy isn't god
Not many but some place... or i'm the only poor soul around ? ehhe
