Re: VC Login

DMCurtis · ‎06-15-2007

Hi Folks,

VC 2.0.1 and ESX 3.01

I am trying to lock down access to VC and use MOM to monitor any AD group membership changes to the AD global groups I have defined.

I have removed the local Administrator group from VC and specified only the domain group account with the Administrator role.

In VC I have tied the other various roles to the AD groups but now when I log in to VC I have to specifiy the domain\username format instead of just username.

Is there a way around this log in format (domain\username) without using local groups? It's just so much to type!

Thanks

Darren

jasonboche · ‎06-15-2007

I've not seen this happen before. I'm always allowed to log in without prefixing with my domain name. Is your VC server in a different domain than your user ID resides in?

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+

esiebert7625 · ‎06-15-2007

Do you have multiple AD domains/forests? VC always uses whatever domain the server is a member of.

DMCurtis · ‎06-15-2007

No, they are both in the same domain.

I restarted the VC services as well, but unless I use the domain\username format I get the "Permission to perform this operation was denied".

I will try a server reboot next...

DMCurtis · ‎06-15-2007

We do have multiple domains, but the VC is in the same domain as the domain account I am using to log in, which is a domain admin account.

esiebert7625 · ‎06-15-2007

Is the domain that VC is in a parent or child (sub) domain?

DMCurtis · ‎06-15-2007

Sadly, after the reboot nothing changed. I still have to prefix my username with the domain in order to login, which is a bit painful.

This is not much of a problem for us administrators, but I have lots of application support folks, who need access and I know they will struggle.

Maybe I will just create a few local groups, with the specific roles, and drop the domain groups in them. The only issue with that is I will have to configure MOM to also watch and alert on any local group membership changes as well.

I read somewhere that it is best practice to have local groups with roles defined in VC and the domain groups placed in the locals.

DMCurtis · ‎06-15-2007

The domain that VC is in is a child domain. Unfortunately, I have no access to the parent. It is some sort of security best practice here.

DMCurtis · ‎06-18-2007

I figured out my problem.

I had forgotten that I had created a local windows user account on the VC server, which was identical in spelling to my windows domain admin account. This local windows account had no permissions or rights within VC.

Even though I was using the domain account to log into VC, which had all the correct roles, VC authenticated with the local account first, which had no access.

Moral of the story...don't create a local windows account with the same name as the domain account unless both have permissions defined in VC.

esiebert7625 · ‎06-18-2007

Cool, thanks for posting your resolution.

osvaldo1 · ‎06-20-2007

Good afternoon

I have VMware Infrastrcture to work.

However I installed VCenter in an it plans W2K3 and I have SQL to run in another it plans and I configured ODBC.

I installed it Web Acess more I don't know the user and password to insert.I don't also get to do to work the virtual center in it plans it with w2k3.

All

VC Login