When setting up a vCenter 6u1 instance on Windows Server 2012 R2 and connecting to the vCenter as the SSO administrative account (administrator@vsphere.local) via PowerCLI, I do not seem to be able to configure any local user accounts with global permissions.

I have tried using New-VIPermission but the highest entity I can assign roles/users to is Datacenters, i.e. the root of the vCenter inventory tree, so to speak. I want to make it so that all local Windows user accounts that are part of the Administrators group are also SSO admins. Via the vCenter web client I can only make changes to the SSO stuff when logging in as the SSO admin but then I can add the local Administrators group to the global permissions section with the Admin role and after that any local administrative user logging on does have permission to make SSO changes. So it is possible to do via web client, but how can I do it via PowerCLI?