VMware Cloud Community
MarcLaf
Enthusiast
Enthusiast
Jump to solution

Cannot figure out where particular vCenter user is getting permissions from

ESX 6.0 and vCenter 6.5 (Appliance)

We have an AD user account that is supposed to be configured as Read Only within vCenter which is used for system monitoring. The application people were having issues with authentication so I logged into vCenter using the credentials originally provided and it worked no problem, however, to my surprise, this account could do WAAAY more than just read only. Configure VM's, start/stop VMs, and more. I checked the account permissions and saw it was added to 1 group - ReadOnly - which is assigned the Role of Read-only. There were a few other accounts in this group so I logged in as them and I got what I should - read only. Everything else was greyed out.

I removed the user account from the ReadOnly group and tried to log in - I could. And the permissions were the same as before.

After scouring all groups and permissions (each level from vCenter down) I cannot find for the life of me where this account is getting access! It's not a member of any AD groups other than Domain Users so it's not getting it from AD.

I created a brand new vanilla AD account and tried logging into vCenter - could not log in (expected). I added it to the same ReadOnly group - I could log in with read only.

I'm starting to slowly lose my mind....

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
MarcLaf
Enthusiast
Enthusiast
Jump to solution

Updated VCSA to latest patch level and rebooted. Issue no longer present.

View solution in original post

Reply
0 Kudos
7 Replies
EricChigoz
Enthusiast
Enthusiast
Jump to solution

Whats your patch level on the device?

Could you please double check the user account is actually an AD user?

Find this helpful? Please award points. Thank you !
Reply
0 Kudos
MarcLaf
Enthusiast
Enthusiast
Jump to solution

vCenter Appliance is 6.5.0.22000

Yes the account is an AD user 100%.

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

Is the ad user in any other groups that may also be used for permissions.

Reply
0 Kudos
MarcLaf
Enthusiast
Enthusiast
Jump to solution

I originally thought that but no it's not a member of anything other than Domain Users.

Reply
0 Kudos
sjesse
Leadership
Leadership
Jump to solution

ARe you familar with powercli. You can run the following commands I beleive to get all permissions related to that user

Connect-VIServer vc_server

Get-VIPermission | where {$_.Principal -eq "Domain\user"}

MarcLaf
Enthusiast
Enthusiast
Jump to solution

Updated VCSA to latest patch level and rebooted. Issue no longer present.

Reply
0 Kudos
MarcLaf
Enthusiast
Enthusiast
Jump to solution

Thanks sjesse - I didn't get a chance to try your command before I patched and rebooted. But issue is fixed now. I'll have to save that command for future use though.

Reply
0 Kudos