VMware Cloud Community
rzimmermann
Contributor
Contributor

Roles and permissions propagation question

Hello everyone

Hopefully, someone of you can probably help me or clear some things.

Imagine the following situation. We have a VMware cluster based on vCenter Appliance 5.5 with 2 hosts (Version 5.5 Update 1) attached. Both ESX hosts are joined to our Active Directory domain.

I have created a custom role named "VM Site Admin" on vCenter with some permissions we would like to give our site administrators. Then I have added permissions with this role to a AD group named "GG_VMSiteAdmin" at top level (vCenter server) with propagation to all child objects.

I can successfully log in to the vCenter server using a user which is member of the AD group "GG_VMSiteAdmin". So far so good. What I'm unable to do is to login directly to the ESXi host using the same domain credentials. I got the message "You do not have permissions to login to the server: servername".

What am I doing wrong?

Thanks for any comment.

René

Reply
0 Kudos
2 Replies
rh5592
Hot Shot
Hot Shot

I believe you need to manually create the "ESX Admins" group in AD. It is the default group added in each ESXi hosts when joined to the domain. See Joining vSphere Hosts to Active Directory | VMware vSphere Blog - VMware Blogs

Regards. ================================================= "If found useful, kindly mark answers Correct or Helpful " http://rh5592.com =================================================
Reply
0 Kudos
rzimmermann
Contributor
Contributor

Thanks for your information. I know about the ESX Admins group, but I don't wan't the site admins to have in ESX Admins group as they automatically get administrator rights on the ESX host.

I have created a separated role on vCenter which should be propagated to the hosts, but unfortunately not seems to be.

Reply
0 Kudos