The group lists in vCenter Server and an ESX/ESXi host are drawn from the same sources as the user lists. If
you are working through vCenter Server, the group list is called from the Windows domain. If you are logged
on to an ESX/ESXi host directly, the group list is called from a table maintained by the host..
Create groups for the vCenter Server system through the Windows domain or Active Directory database.
Create groups for ESX/ESXi hosts using the Users and Groups tab in the vSphere Client when connected
directly to the host.
N
OTE
If you use Active Directory groups, make sure that they are security groups and not distribution groups.
Permisions assigned to distribution groups are not enforced by vCenter Server. For more information on
security groups and distribution groups, see the Microsoft Active Directory documentation.
Removing or Modifying Users and Groups
When you remove users or groups, you also remove permissions granted to those users or groups. Modifying
a user or group name causes the original name to become invalid.
See the Security chapter in the ESX Configuration Guide or ESXi Configuration Guide for information about
removing users and groups from an ESX/ESXi host.
To remove users or groups from vCenter Server, you must remove them from the domain or Active Directory
users and groups list.
If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere
environment and cannot log in again. Users who are currently logged in and are removed from the domain
retain their vSphere permissions only until the next validation period (the default is every 24 hours). Removing
a group does not affect the permissions granted individually to the users in that group, or those granted as
part of inclusion in another group.
If you change a user’s name in the domain, the original user name becomes invalid in the vCenter Server
system. If you change the name of a group, the original group becomes invalid only after you restart the vCenter
Server system.
Best Practices for Users and Groups
Use best practices for managing users and groups to increase the security and manageability of your vSphere
environment.
VMware recommends several best practices for creating users and groups in your vSphere environment:
n
Use vCenter Server to centralize access control, rather than defining users and groups on individual hosts.
n
Choose a local Windows user or group to have the Administrator role in vCenter Server.
n
Create new groups for vCenter Server users. Avoid using Windows built-in groups or other existing
groups.
Using Roles to Assign Privileges
A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions
and read properties.
When you assign a user or group permissions, you pair the user or group with a role and associate that pairing
with an inventory object. A single user might have different roles for different objects in the inventory. For
example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular
user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to
power on virtual machines in Pool A, but not those in Pool B, although the user would still be able to view the
status of the virtual machines in Pool B.
Chapter 18 Managing Users, Groups, Roles, and Permissions
VMware, Inc.
211
Summary of Contents for 4817V62 - vSphere - PC
Page 13: ...Getting Started VMware Inc 13...
Page 14: ...vSphere Basic System Administration 14 VMware Inc...
Page 24: ...vSphere Basic System Administration 24 VMware Inc...
Page 38: ...vSphere Basic System Administration 38 VMware Inc...
Page 76: ...vSphere Basic System Administration 76 VMware Inc...
Page 85: ...Virtual Machine Management VMware Inc 85...
Page 86: ...vSphere Basic System Administration 86 VMware Inc...
Page 98: ...vSphere Basic System Administration 98 VMware Inc...
Page 131: ...3 Click OK Chapter 11 Creating Virtual Machines VMware Inc 131...
Page 132: ...vSphere Basic System Administration 132 VMware Inc...
Page 140: ...vSphere Basic System Administration 140 VMware Inc...
Page 172: ...vSphere Basic System Administration 172 VMware Inc...
Page 182: ...vSphere Basic System Administration 182 VMware Inc...
Page 200: ...vSphere Basic System Administration 200 VMware Inc...
Page 207: ...System Administration VMware Inc 207...
Page 208: ...vSphere Basic System Administration 208 VMware Inc...
Page 278: ...vSphere Basic System Administration 278 VMware Inc...
Page 289: ...Appendixes VMware Inc 289...
Page 290: ...vSphere Basic System Administration 290 VMware Inc...
Page 324: ...vSphere Basic System Administration 324 VMware Inc...
Page 364: ...vSphere Basic System Administration 364 VMware Inc...