VMware Cloud Community
vlchild
Enthusiast
Enthusiast
‎02-13-2008 12:45 PM

Access denied when trying to connect client cd rom to vm

This is a followup to thread http://communities.vmware.com/thread/119513

"One of my users is using the client to build a vm, tries to connect their cdrom using the client and gets access denied. What is the minimum permissions needed to be able to connect a remote physical cd rom to a vm? VC 2.5, esx 3.0, I believe they currently have virtual machine power user role on the object. "

I had this same problem. The role didn't make a difference, but what does make a difference is where that role is defined. I found if I was an adminitrator of a resource group I could pretty much do everything needed, EXCEPT connect the CD.

To get around this. I gave that same user 'READ ONLY' at the root (Hosts & Clusters) and unchecked the 'propagate'. (If you leave 'propogate' checked that user will see everything)

Have the user log off and back on and Viola!

Lee

Tags (4)
Reply
0 Kudos
3 Replies
vlchild
Enthusiast
Enthusiast
‎02-13-2008 01:14 PM

Once I dug in a little more, I realized I could put just the 'XX\domain users' or the local server 'users' in the group in the root with Read Only and no Propagate. This one generic group provide enough of a privilege to allow for CD operations.

The first thing I checked was what kind of privileges this gives to everyone. Basically they see the event logs on who logs in and out of VC, no hosts, no VMs, and in the Admin section they can only see who was assigned what roles at the root level. For me this was acceptable.

Maybe VM can just put this in the manual and call it a feature, ala MS.

Reply
0 Kudos
vlchild
Enthusiast
Enthusiast
‎02-13-2008 03:01 PM

Many of the VC 2.5 permission problems can be solved with this method also.

Last item: I created one AD group called 'ALL_VM_USERS' and nested all the other VM groups into it. I then gave the 'ALL_VM_USERS' group the RO role at the root folder. This gave me the same benefits without giving everyone on the planet read access to VC.

Lee

Reply
0 Kudos
TristanT
Contributor
Contributor
‎03-18-2008 10:55 AM

I faced having to deploy this work-around solution to allow my clients access to the console with "Virtual Machine Power User" role. Prior to this they could not send a Ctrl-Alt-Del or mount a CD or ISO.

We are at the latest builds for ESX 3.5 and VC 2.5. We are at the latest builds of VC 2.5 and ESX 3.5. I'm going to open a case with VMware TS to add visibility to this issue. Why was this issue not caught during release testing?

Reply
0 Kudos