farkasharry
Hot Shot
Hot Shot

Renaming AD Group or USer breaks access?

I have had a strange thing happend in our 5.1 environment.

A specific AD user group had admin access to the whole environment. After renaming this group in AD and some waiting time, the access was still possible, but this groups members could not see anything else then the vCenter in their client. I thought, the SSO server is contacting the AD for any user logon procedures. The waiting time whos that there is still some replication happening and the permissions are not using the AD ID of the user but its exact name. Are there any way to rename groups and not to loose the permissions?

*** If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful! *** vExpert 2019, VCAP-DCA,VCP,MCSE,MCITS and some more...
2 Replies
flpro
Contributor
Contributor

Just ran into a similar issue. After renaming a few AD user accounts, they were unable to login in the vsphere client anymore.

Contacted the VMWare support and their technician ran a few query on our SSO database (RSA) through SQL Management Studio.

He first retrieved the ID of the user by searching the old username :

SELECT ID,LOGINUID from IMS_PRINCIPAL_DATA where LOGINUID like 'old_username'

Then he ran these 2 queries to delete any references of the user's ID :

DELETE from IMS_PRINCIPAL_DATA where ID = 'retrieved_user_id'
DELETE from IMS_PRINCIPAL_LOGIN_DATE where PRINCIPAL_ID = 'retrieved_user_id'

We were then able to login with the new username.

Hope this helps.

AntonKr
Contributor
Contributor

6.0 U2. Same problem here. AD is configured as LDAP access (non-integrated). Renaming AD group breaks permissions. Unfortunately SQL solution no longer works as database structure seems to be different.

0 Kudos