marvinb
Enthusiast
Enthusiast

replacing the default Administrators group

Jump to solution

By default, all users who are members of the Windows Administrators group on the VC server are granted the same access rights as any user assinged to the Administrators role (page 232 of Admin Guide). However, there are some users in that group that are not VMware knowledgeable so do not want to grant them this permission. I have tried several things to remove the Administrators permission (that is the default) and add doman users with the admin role. For our shop, It hink this will work.

Well I tried that, but after adding the users who I want to have the administrators role, I cannot figure out how to remove the Admistrators group. I cant even remove any of the users that I had just added. When I go to the Add Permissions section ont the datacenter, no users/groups show up when i select the administrator role. What am i doing wrong?

0 Kudos
1 Solution

Accepted Solutions
mstahl75
Virtuoso
Virtuoso

Create a new Administrator role and assign your group, however you made it, to the new administrators role on the top-level of your VC Infrastructure (Hosts & Clusters) and be sure to propogate the permissions. Do this by selecting the permissions and Add Permission.... It would be best to add a group to this permission, either a locally group on the VC server (don't have to be administrators) or a domain group. Then you only have to add/remove members from that group -- once you assigne a permission you can't change membership in that permission as far as I can see (short of maybe editing the database).

I would use a test account that isn't an administrator on the server and verify that account can access everything you would expect an administrator to access. Once you are sure everything is working as it should you should be able to Delete the default Administrators user/group from the Administrator role.

I have never done this but from looking it over it should work without issue. Before deleting the main administrator role you might be sure to have a good backup of the database just in case.

View solution in original post

0 Kudos
3 Replies
mstahl75
Virtuoso
Virtuoso

Create a new Administrator role and assign your group, however you made it, to the new administrators role on the top-level of your VC Infrastructure (Hosts & Clusters) and be sure to propogate the permissions. Do this by selecting the permissions and Add Permission.... It would be best to add a group to this permission, either a locally group on the VC server (don't have to be administrators) or a domain group. Then you only have to add/remove members from that group -- once you assigne a permission you can't change membership in that permission as far as I can see (short of maybe editing the database).

I would use a test account that isn't an administrator on the server and verify that account can access everything you would expect an administrator to access. Once you are sure everything is working as it should you should be able to Delete the default Administrators user/group from the Administrator role.

I have never done this but from looking it over it should work without issue. Before deleting the main administrator role you might be sure to have a good backup of the database just in case.

View solution in original post

0 Kudos
dinny
Expert
Expert

Hiya,

You can remove the permissions - I do a similar thing to your proposal.

In the VC client, click on the top level of your VC structure - Hosts and clusters by default - then select the permissions tab on the right.

You should then see the various groups/users.

Rt click the one you want and select "delete"

Dinny

marvinb
Enthusiast
Enthusiast

thanks for you help. Ended up doing something very similar.

0 Kudos