I have been given an account assigned the read-only role in vCenter Server (running version 7.0.3). I need to document who exactly has administrator role permissions in the same vCenter Server. Under the permissions tab, I can see a list of users/groups. But for the entries which are groups, I cannot seem to expand the lists within vCenter to see who the actual members are, and whether the members are local users/groups, or domain users/groups.
I was personally given an @vsphere local account but I think some users/groups may still be accessing vCenter via AD integration possibly, be those direct ACE entries on the permissions tab, or members under the users/groups listed in permissions (which is what i am expecting). In the permissions tab I have noticed the ‘defined in’ column, some entries are listed as ‘global permission’, and others are listed as ‘this object and its children’. I am not to sure how to differentiate which users groups are 'local' vCenter server accounts, and any which are AD integrated users/groups, unless you can go off the prefix in the user/group column itself?
Is there anyway within vCenter itself, or via any other tools/scripts you are aware of, to get a list of who is in each group listed in the permissions tab, that I can either screenshot or export to a file? I did notice greyed out add/edit/delete options in the permissions tab, which may mean with the admin role you can actually delve into which accounts are actually in each group, and the limited read-only role account I am working with, may be the problem as to why I cant expand/view the group members.