I have problem with host profile in vCenter 4.1
I noticed that host profile can join ESXi to the domain, and create permission rules to grant permissions to local and domain users and groups.
My problem is, when I create permission rule for active directory user or group, "apply" will add the domain user or group,
but afterwards host remains not compliant with the failure:
"A permission for user or group <DomainName\group> does not exist" (even that i can see the permission when i connect to the host)
by that the host will never be compliant although the user or group created by the host profile.
Local user works perfectly with host profile permission rules...
I can see this behavior in my environment too.
Local users / groups are OK. But with domain users / groups the compliance check always fails, even the permissions are in place (ESXi 4.1).
Possibly a bug. Can someone confirm this works?
Currently we have no time to contact VMware support or investigate the issue, so we stopped using permission rules and add the permissions manually (we have only one permission to add) as part of ESXi install procedure.
But if you find the solution, please post it in the thread.
Have you created an AD group called "ESX Admins" -- it seems like when you join an esxi host to the domain -- and this esx admins group exists it is added by default to the local groups on the host.
Anyway worked for us -- hidden somewhere in the docs..
Did you stop to use Host Profiles' permission rules and rely on ESX to add the "ESX Admins" group by itself?
Or you have created permission rule for "ESX Admins" group and it works fine?
Anyway, we have a naming convention for AD groups and "ESX Admins" is not acceptable in our environment.
I've created the group in my AD, with exact name including case "ESX Admins" .
But when applying my test host profile to an ESX server it fails with the error "The user or group named '<domain>\esx^admins' does not exist"
The group has existed for long enough for any replications to occur, the syntax of the error made me question if the group name should be different, but that wouldnt match the documentation, so its just weird at the moment.
Sorry im only providing half the story.
In my host profile, under Security Configuration -> Permission Rules -> Permission
I've specified an AD Group name, ticked the refers to a group of users box, typed "Admin" for the role name and ticked the propogate permission box.
This setting and the join the domin setting are the only 2 within this host profile and it fails to apply with the above error message.