7 Replies Latest reply on Feb 20, 2019 10:11 AM by MarcLaf

    Cannot figure out where particular vCenter user is getting permissions from

    MarcLaf Novice

      ESX 6.0 and vCenter 6.5 (Appliance)

      We have an AD user account that is supposed to be configured as Read Only within vCenter which is used for system monitoring. The application people were having issues with authentication so I logged into vCenter using the credentials originally provided and it worked no problem, however, to my surprise, this account could do WAAAY more than just read only. Configure VM's, start/stop VMs, and more. I checked the account permissions and saw it was added to 1 group - ReadOnly - which is assigned the Role of Read-only. There were a few other accounts in this group so I logged in as them and I got what I should - read only. Everything else was greyed out.

      I removed the user account from the ReadOnly group and tried to log in - I could. And the permissions were the same as before.

      After scouring all groups and permissions (each level from vCenter down) I cannot find for the life of me where this account is getting access! It's not a member of any AD groups other than Domain Users so it's not getting it from AD.

      I created a brand new vanilla AD account and tried logging into vCenter - could not log in (expected). I added it to the same ReadOnly group - I could log in with read only.

      I'm starting to slowly lose my mind....