Good catch.  I fixed it, but it still doesn't solve my problem unfortunately.

Can you try with this adapted version of your script.

Note that I added a WhatIf switch on the Remove-VIPermission cmdlet, so you can check what would happen (without actually removing a permission).

Do you see 2 removals?

Hi LucD​,

Yes I do see two removals with the -WhatIf

Can you share the text the WhatIf produced?

Hi LucD​,

Here it is:

What if: Removing permission on entity 'Folder-group-v343992' for principal 'mydomain\useriwant' and role 'VirtualMachineUser'.

What if: Removing permission on entity 'Folder-group-d1' for principal 'mydomain\useridontwant' and role 'Admin'.

Very strange.

Can you just try the following, and see if it also returns 2 users.

Get-VIPermission -Entity (Get-Folder -Name MyFolder) -Principal 'domain\user'

Hi LucD​,

Yes if I specify the user in that section it still wants to remove the other user.

I'm basically specifying a user I have in another domain that I want to remove that I'm logged onto the machine I'm running the script from.

I'm also logged into the vCenter with a different domain account that has admin rights on that vCenter.

When I run the script it wants to remove both accounts, which is odd, yes the username is the same, but they're different domains, neither is a child domain of each other, different spellings, etc.

Do you specify the domain, when providing the username?

Is one of these domains your primary authentication resource?

Is the VCSA registered in one of those domains?

Hi LucD​,

Yes I do specify the domain when providing the username.

So in our vCenter we have this:

vsphere.local

Domain1

Domain2

Domain3

Domain1 is the domain that the vCenter is on (and registered) and the login that I use when connecting to the vCenter in the script as that account has admin rights to the whole vCenter.

Domain2 is the domain that the current machine I'm working on is joined to and is also the domain I use when adding a user to test the script.

Domain3 is just another corporate domain that's not relevant to this.

All domains are separate.  None are a child domain of each other.

When I run my join script which is almost the same as this script it just adds the user I specify to the folder I want which is great.  I never see anything for the user account I'm logged in as to be added to whatever folder I'm assigning someone to.

Hope this helps clear up any confusion.

I don't have a solution for what you are seeing, and neither can I replicate that.

But I did notice in the output from the WhatIf, that the 2nd removal is on the root folder (also known as Datacenters), not on the folder you specified.

But I have no idea why that would be triggered by the Remove-VIPermission cmdlet you are using.

Hi LucD​,

Ok well thanks for the help.  I'm not sure why this is happening either.  I've rebooted my machine and that didn't help.  Also tried running it on another machine that's in the same domain as the vCenter and the login I use to the vCenter and still no difference.  I guess I'll keep playing around and maybe get lucky.

Hi LucD​,

So I just found something out.  When I run the script and try to remove any account that's tied to me (since they all have the same username, but are in different domains) the script tries to remove all of them.  However if I try to just remove a different user altogether then it behaves properly in only trying to remove them and not me.  That doesn't make a whole lot of sense to me.

I tried removing this section from the beginning of the script: -UserName "$($env:USERDNSDOMAIN)\$($env:USERNAME)" thinking that maybe it was gathering my login info somehow in my different domains, but it made no difference unfortunately.

This sounds more and more like a bug to me.

When you did the Get-VIPermission, with an account tied to you, did you get multiple entries back?
Each with a different principal or not?

Yes when I did the Get-VIPermission with an account tied to me I got back multiple accounts of mine with different principals.  One for the folder I assigned one of my accounts to, the other to my main account that's at the top level of the vCenter.

That looks like a bug to me.
I would suggest you open an SR for that issue.

Will do.  Will update this thread with the results.

Thanks.
It looks more and more as if the Get-VIPermission only uses the USER part, and drops the DOMAIN part.

I believe I finally figured it out.  Unfortunately I got nowhere with VMware support.

I changed this line:

Get-VIPermission -Entity $folder -Principal $usertoremove | Remove-VIPermission

to this:

Get-VIPermission -Entity $folder | where {$_.principal -eq "$usertoremove"} | Remove-VIPermission

and it seems to be working.  I had noticed that if there was even another user with multiple accounts on the vCenter that it would try to remove all of theirs as well, so it wasn't just for my account running it, but for anybody who had multiple accounts in the vCenter.  Scary stuff.