That moves me on, thanks, but now I'm frustrated because I can't see which action is throwing a vmomi error in the client; without knowing what it was trying to do (among all the many minor subtleties when trying to perform any action in VI) it is hard to know what's causing the problem.

Let me ask a different question: we want to delegate rights to create and edit VMs and clone them form templates, to a group; we have numerous resource pools and folders; we don't want people to see what's in other resource pools and folders. This must be pretty common. Is there a document anywhere that says exactly what settings are needed for this to work without continually throwing errors?

We had it nailed in 2.0 but the upgrade to 2.5 and the bodges we had to make to get 2.5 to work before Update 1, seem to have conspired to render the previous set of permisisons fatally broken.

SysPrep files are in place, it works as Admin, that thread is about the annoying variants of SysPrep (ho yus, been there). Was that the thread you meant ot recommend? I can entirely believe it's been discussed before.

The permissions should be about the same as they were previously, although there are new permission in the roles. The best way to limit access is to provide access at the lowest level container of the objects you want to allow access to. Meaning, if you have resource pools separated, then give access at the pool, or create a child pool, and give access there.

That way, you can clone the administrator role, and remove access to what you don't want to allow, like create pool, and etc. Give access on those resource pools to your custom administrator role, and you should be good to go. Remember, your permissions can flow down, if you allow propagate, but they won't flow up. So, if you give rights to create a datacenter, but only at a resource pool level, then that role will still not be able to create a datacenter.

-KjB