We help IT Professionals succeed at work.

vMWare User accounts and Role Administration in a AD Integrated Environment

lipotech
lipotech asked
on
I am managing a VMware v6x environment that is currently AD integrated. I have a question concerning how to manage roles in an AD integrated environment.  Do I mange the users' roles from within AD using GPOs or do I manage the User Roles from within the Web Client? I need to determine the most expedient and secure method to manage User account roles within a VMware configuration that is AD integrated.  I have a current AD group for example, AD_vSphere populated with all of the VMware users as members.  Once again, should I control the Roles settings from within AD or the Web Client console?

Lipotech
Comment
Watch Question

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
vCenter Server and AD. (Roles and Groups)

e.g. you should have Groups Defined in AD, which you add users to in AD, and then those Groups are added to vCenter Server Permissions and Roles assigned.
lipotechSys Eng

Author

Commented:
Do I mange the users' roles from within AD using GPOs or do I manage the User Roles from within the Web Client?  Should I 'ALWAYS' control the Role settings from within AD or the Web Client console? If I make a change from within the Web Console, will that change sync within AD?

I assume best practice in the case of AD integration would be to control the user account access and permissions from within AD using GPOs..?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
This is VMware vSphere vCenter Server access ?
lipotechSys Eng

Author

Commented:
Yes. This is VMware vSphere vCenter AD integrated access.

Lipotech
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Okay, so you need to do both.

Create a user in AD, add to a group, and then add that group/user to Permissions in vCenter Server, and allocate a role in vCenter Server.

see here

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-FAA074CC-E8C9-4F13-ABCF-6CF7F15F04EE.html
lipotechSys Eng

Author

Commented:
Andrew,

So I must create the Group in AD and in vCenter?

Lipotech
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
It really depends how you manage your AD, creating groups simplifies management functions in AD, because then you just have to add users to groups, rather than having to add individual users for AD functions.

No groups are created in vCenter Server, AD Groups are added to a vCenter Object, e.g. a folder, and a role is assigned to the AD Group.
lipotechSys Eng

Author

Commented:
Thank you.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
no problems