ESX 6.0 and vCenter 6.5 (Appliance)
We have an AD user account that is supposed to be configured as Read Only within vCenter which is used for system monitoring. The application people were having issues with authentication so I logged into vCenter using the credentials originally provided and it worked no problem, however, to my surprise, this account could do WAAAY more than just read only. Configure VM's, start/stop VMs, and more. I checked the account permissions and saw it was added to 1 group - ReadOnly - which is assigned the Role of Read-only. There were a few other accounts in this group so I logged in as them and I got what I should - read only. Everything else was greyed out.
I removed the user account from the ReadOnly group and tried to log in - I could. And the permissions were the same as before.
After scouring all groups and permissions (each level from vCenter down) I cannot find for the life of me where this account is getting access! It's not a member of any AD groups other than Domain Users so it's not getting it from AD.
I created a brand new vanilla AD account and tried logging into vCenter - could not log in (expected). I added it to the same ReadOnly group - I could log in with read only.
I'm starting to slowly lose my mind....
Updated VCSA to latest patch level and rebooted. Issue no longer present.
Whats your patch level on the device?
Could you please double check the user account is actually an AD user?
vCenter Appliance is 6.5.0.22000
Yes the account is an AD user 100%.
Is the ad user in any other groups that may also be used for permissions.
I originally thought that but no it's not a member of anything other than Domain Users.
ARe you familar with powercli. You can run the following commands I beleive to get all permissions related to that user
Connect-VIServer vc_server
Get-VIPermission | where {$_.Principal -eq "Domain\user"}
Updated VCSA to latest patch level and rebooted. Issue no longer present.
Thanks sjesse - I didn't get a chance to try your command before I patched and rebooted. But issue is fixed now. I'll have to save that command for future use though.