Hello,
In our environment we have system administrators who need to administer virtual machines but must not be the virtual administrators. In the roles for virtual center the administrators role seems to be given to the local adminitrators group, which by default includes domain admins group. Is there a way to ensure the domain admins do not have access to the virtual infrastructure?
We always remove them from the local admin group and assign the premissions in vCenter using an AD group.
Check out this thread
Hello,
That is correct, if you do not want your Domain Admins to see everything and use everything within your vCenter server you need to create anotehr group who has the access and delete 'Administrators' or delete Domain Admins from the Local Administrators group. I prefer the second option actually, but that also has its own issues. Your Local Administrator should most likely be able to admin the entire vCenter server as a fall back in case AD is suddenly not available.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
We also remove Domain Admins from the administrator group but keep the local admin in there as Edward suggested.
If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points
Install vCenter on non-domain machine.
---
VMware vExpert '2009
We deleted the Domain Admins group locally and create backdoor account with different name added to be local admin on the machine, but disabled in AD until we need to use it or activate it. We then create multiple custom roles in vCenter for VI Help Desk and VI Server Admins so they can provision and monitor our ESX environment more effectively and securely. We have also granted access to Service Console using SUDO and integrated with AD using PAM configuration so that specific person can alter the ESX settings on command line as well but restricted they actions and provided security logging as well.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
VMware vExpert 2009
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant