2 Replies Latest reply on May 11, 2016 8:45 PM by Goatie

    VMRC Permissions Voodoo - Limiting Console Access Based on AD Group and VM Folder

    KWKirchner Novice

      We are permitting administrators access to the console of their VM's using VMRC. Our Unix admins get access to their VM's, and Windows admins likewise, but they should not have the ability to access each others consoles.


      We have set up a "VMRC Console" role and have permitted only "Virtual machine/Interaction/Console Interaction" for this role. When we apply this role to the AD user group for Unix admins (for example) on the ESXi host objects, they are not able to connect unless we set the propagate option. When we do that, they now have access to ALL consoles, not just theirs.  As soon as we uncheck the propagate, they can only see their VM's again, but cannot access the consoles.


      What is the secret sauce here to limit them to their own consoles? I can see why this is happening, but I was hoping the VM Folder permissions would have limited their access. Apparently the Host permissions are overriding the VM Folder permissions (and that's not surprising, really).