I am migrating from local accounts/groups access for vCenter to an AD domain. Without manually checking each VM's group assoicated with it and creating in AD, I'd like to automate as much as possible.
1 - A script to list the VM and the group that has VIC access to it.
2 - Query the vCenter server to get the list of users that are in that group.
3 - I'm OK with manually checking the domain to see if the account exists, then creating accounts/groups as necessary, and finally assigning the VIC access for the new group.
Also open to any suggesstions on how anyone else has handled this. Thanks.
Can you explain your need to delegate permissions?
VCenter had roles (Administrator, virtual machine power user, etc) with defined permissions you can use.
If you need different roles you can create your own.
Once you created the necessary roles then you apply them to vcenter resources at the farm-level Host-level, VMlevel, DataStore -level etc using AD Groups.
if you want to export the permissions you can find the script here
I only want groups to see the VMs that they own. Each group has read only on the folder without propagation and then the ability to manage (power on/off, snapshots) to their individual VMs.