VMware Cloud Community
jamcm
Contributor
Contributor
‎03-18-2009 05:28 PM

Domain administrator restrictions

Hello,

In our environment we have system administrators who need to administer virtual machines but must not be the virtual administrators. In the roles for virtual center the administrators role seems to be given to the local adminitrators group, which by default includes domain admins group. Is there a way to ensure the domain admins do not have access to the virtual infrastructure?

0 Kudos
5 Replies
dmn0211
Enthusiast
Enthusiast
‎03-18-2009 05:49 PM

We always remove them from the local admin group and assign the premissions in vCenter using an AD group.

Check out this thread

http://communities.vmware.com/message/673745#673745

0 Kudos
Texiwill
Leadership
Leadership
‎03-20-2009 05:56 AM

Hello,

That is correct, if you do not want your Domain Admins to see everything and use everything within your vCenter server you need to create anotehr group who has the access and delete 'Administrators' or delete Domain Admins from the Local Administrators group. I prefer the second option actually, but that also has its own issues. Your Local Administrator should most likely be able to admin the entire vCenter server as a fall back in case AD is suddenly not available.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
mittim12
Immortal
Immortal
‎03-20-2009 05:59 AM

We also remove Domain Admins from the administrator group but keep the local admin in there as Edward suggested.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

0 Kudos
AntonVZhbankov
Immortal
Immortal
‎03-20-2009 06:09 AM

Install vCenter on non-domain machine.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
0 Kudos
azn2kew
Champion
Champion
‎03-20-2009 06:26 AM

We deleted the Domain Admins group locally and create backdoor account with different name added to be local admin on the machine, but disabled in AD until we need to use it or activate it. We then create multiple custom roles in vCenter for VI Help Desk and VI Server Admins so they can provision and monitor our ESX environment more effectively and securely. We have also granted access to Service Console using SUDO and integrated with AD using PAM configuration so that specific person can alter the ESX settings on command line as well but restricted they actions and provided security logging as well.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
0 Kudos