I have an AD server configured as follows (this isn't the full OU structure).  Note that right now I haven't configured any GPOs (all OUs inherit the "domain default policy").

mydomain.net

MyManagementOU

Accounts

Users

jbloggs

...

Groups

Global

DG_VMwareAdmins

DG_VMwareUsers

Local

DL_VMwareAdmins

DL_VMwareUsers

Microsoft best practise is to make users members of global groups (i.e. where the group "scope" is configured as "Domain Global").  You then make the global groups members of the local groups (i.e. where the group "scope" is configured as "Domain Local"), and when you configure user permissions to a "computer" you apply the domain local account.

In the structure above, the user jbloggs is a member of both of the global groups (starting "DG_").  DG_VMwareAdmins is then a member of DL_VMwareAdmins (a domain local group), and DG_VMwareUsers is a member of DL_VMwareUsers (also a domain local group).

I have successfully added my ESXi 5.1U1 host to my active diretory domain, I am trying to configure permissions on the host, and I'd like to assign full admin privileges to the "DL_VMwareAdmins" AD group.

MY PROBLEM (well one of them at least ) is that when I click "Add" to add a new privilege, and then select "mydomain" I only see groups that have been configured with a "Domain Global" scope.  My "DL_" groups do not appear.

NOTE: I've done the same with vCenter SSO, and that worked just fine; it picked up all groups whether global or local scope!

Is this a limitation of ESXi 5.1, or is there a way to persuade it that there really are domain local groups on my domain controller?