I ran an Export Roles & Permissions script from https://communities.vmware.com/t5/VMware-PowerCLI-Discussions/Export-Roles-Permissions-Privileges-Ex... against our vCenter Servers. There is one particular Principal that I can't find at all in the vCenter UI, but I'd like to remove it. Can it be done via PowerCLI, and how?
Thanks!
That looks like a Role that is defined on the hidden folders.
Is that assigned to a builtin user/group?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
No. The role is assigned to an AD group. I can't find that AD group anywhere, and propagation for the host, network, datastore, and vm is set to true. I don't know where to find "host, network, datastore, and vm" within vCenter. It seems like it's orphaned but it's still in the export report and in the UI. I can't clean it up.
Those are hidden folders, but they do exist.
You can see those permissions by using such a hidden folder.
$dcName = 'DC'
Get-Datacenter -Name $dcName | Get-Folder -Name vm | Get-VIPermission
"The role is assigned to an AD group."
I assume you mean there is a permission on the hidden folders using a specific Role where the Principal is an AD account.
Not sure what you mean by "I can't find that AD group anywhere"?
Since that permission is on a hidden folder, you will not be able to see it via the Web client.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I tried your commands for each Datacenter and the Principal was not listed.
I also tried the below
Get-VIPermission -Principal "domain\group" |Select *
Get-VIPermission -Principal "domain\group" | Remove-VIPermission
Perform operation?
Removing permission on entity 'Folder-group-h23' for principal 'domain\group' and role 'VM Admins'.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Remove-VIPermission : 10/13/2022 2:54:25 PM Remove-VIPermission The specified entity 'host' is a direct child folder of a
Datacenter. This object always has the same permissions as its parent.
At line:1 char:56
+ ... IPermission -Principal "domain\group" |Remove-VIPermission
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (VMware.Vim.ManagedEntity:ManagedEntity) [Remove-VIPermission], VimException
+ FullyQualifiedErrorId : Client20_InventoryServiceImpl_TryGetEntityId_DatacenterFolder,VMware.VimAutomation.ViCore.Cmdlets.Comm
ands.PermissionManagement.RemoveVIPermission
That message seems to indicate the permission was given on the Datacenter, or even on the vCenter level
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I have looked at the DC and vCenter levels, including the Global Permissions -- the AD group is not shown. Should I open a case with VMware?
That seems to be your best option
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
On a side note, is that account perhaps the vCLSAdmin account?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
No, it is not. It's a custom AD group. I will open a case with VMware and let you know the results.
If you're able to follow it, it's SR#22373715710.
I'm afraid I can't, I'm not a VMW employee.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Well, there isn't much excitement about the resolution. The AD group that couldn't be found anywhere was assigned to a custom Role. There was another AD group assigned to the same role. We ended up assigning the visible AD group to another role and then deleted the existing role. That cleared up the issue but didn't explain how it couldn't be found anywhere.