RTFM Education – Virtualization, VMware, Citrix

Oct 5 2009   3:12AM GMT

What I learned this week: vCenter allows you deny your own rights…

MikeLaverick MikeLaverick Profile: MikeLaverick

This is quite funny. vCenter 4.0 allows you to deny yourself your own rights. That’s right, as the administrator you can block or remove your own privileges to an object. Once you remove your own rights, the object then disappears from the inventory – which means of course you can’t select it again to add yourself back in! It’s not unlike the Microsoft experience, where in NTFS permissions you fail to include an administrator and receive the access denied message. At least with NTFS permissions – you can right-click the folder and add yourself back in. Not so with vCenter permissions.

Another interesting weirdness is when you are member of multiple groups – so if you add in group1 and group2, your member of both – one has read and the other has administrator – your effective permission would be the most restrictive one – read. This can show itself when you accidentally add in a built-in group to which the administrator account is also a member like – Remote Desktop Users or Domain Users. If you give one of these built-in groups a lower-privilege – you can find your own privileges diminished to such a degree that you will looking for another vCenter administrator account to give yourself rights.

I’ve seen this happen in my own lab environments – when I haven’t been engaging the brain – and dismissed it as an anomaly that would hardly ever happen. Until last week one of my students (in fact a couple of them) did precisely this (because the lab instructions told them too!) We ended up having to create a temporary local user account (who wasn’t a member of any of the built-in groups) and giving them access to the Local Administrators group on the vCenter box. Fortunately, local “Administrators” group in the Windows SAM was still listed as being an “Administrator” in vCenter. Not that would pass any audit in most corporates nowadays… :-)

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • brandon113
    Thanks for this post.  We just gave ourselves Read-only access to our datastores and couldn't change it.  Even after removing ourselves from the group that had the Read-only role we couldn't get our perms back.  We ended up creating a local admin on the windows server and then gave that account admin perms.  then we could login with the local account and remove the Read-only.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: