https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670082#M36197 <HTML><HEAD></HEAD><BODY><P><STRONG>Hi All</STRONG> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://communities.vmware.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>IMHO, I think that u can use CN=OU_Name,DC=domain,DC=com and that OU contains all of vCenter admins and users in ur enviroment..<BR />I never tested that, but I think it goes levels down..I.e. if u have another OU inside, its users will be contained..</P></BODY></HTML> Thu, 18 Jul 2013 09:51:36 GMT ShadyMalatawey 2013-07-18T09:51:36Z https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670080#M36195 <HTML><HEAD></HEAD><BODY><P>Hey all,</P><P></P><P>Have been using vCenter 5.1 with SSO for about 6 months now without issues.&nbsp; Today though I have been testing some new GPO changes I need to make and realized my users were still in the default Users folder in AD so I can't applied user GPOs to them.&nbsp; Not a biggy so I created a new OU and moved myself into a new Admin AU and created a test user into a new users OU, and so far all seemed fine, until i tried to log into my vSphere Client.</P><P></P><P>Now when I logon with Windows Credentials I can't connect as it says incorrect user or password.</P><P></P><P>When I look at the SSO settings for my Active Directory Identity Source I realized its because I have pointed it to the CN=Users,DC=mydomain,DC=local but the users I just moved out now don't work.&nbsp; So my question is, do i need to create another identity source for my new OU and for each one so have multiple Identity Sources for CN=Admins,DC=mydomain,DC=local and CN=NewUsers,DC=mydomain,DC=local or would I be better of just going with something like DC=mydomain,DC=local for the BaseDN in a single identity source?</P><P></P><P>And if I created a OUs below OUs does the SSO identity source go down multiple levels yeah?</P><P><BR />Thanks,</P><P></P><P>Andy</P></BODY></HTML> Wed, 17 Jul 2013 23:33:43 GMT https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670080#M36195 AndyR8939 2013-07-17T23:33:43Z https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670081#M36196 <HTML><HEAD></HEAD><BODY><P>For my setup, i use <SPAN style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 12px;">DC=mydomain,DC=com and it works</SPAN></P><P></P><P>Regards</P><P>Girish</P></BODY></HTML> Thu, 18 Jul 2013 04:34:13 GMT https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670081#M36196 raog 2013-07-18T04:34:13Z https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670082#M36197 <HTML><HEAD></HEAD><BODY><P><STRONG>Hi All</STRONG> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://communities.vmware.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>IMHO, I think that u can use CN=OU_Name,DC=domain,DC=com and that OU contains all of vCenter admins and users in ur enviroment..<BR />I never tested that, but I think it goes levels down..I.e. if u have another OU inside, its users will be contained..</P></BODY></HTML> Thu, 18 Jul 2013 09:51:36 GMT https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670082#M36197 ShadyMalatawey 2013-07-18T09:51:36Z https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670083#M36198 <HTML><HEAD></HEAD><BODY><P>Thanks both.&nbsp; I'll probably set it up like roag said and just point it to <STRONG><SPAN style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 12px;"> </SPAN><SPAN style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #333333;">DC=mydomain,DC=com</SPAN></STRONG><SPAN style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #333333;"> because I don't need to control access at the SSO level more than that, because vCenter access is all controlled by AD groups on there anyway, so it'll make it easier have it referencing my whole domain anyway.</SPAN></P><P><SPAN style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #333333;"><BR /></SPAN>Thanks guys!</P></BODY></HTML> Thu, 18 Jul 2013 20:23:32 GMT https://communities.vmware.com/t5/VMware-vCenter-Discussions/SSO-Moving-user-to-another-OU-breaks-SSO/m-p/2670083#M36198 AndyR8939 2013-07-18T20:23:32Z