Strange vCenter Permissions Issue

Today I came across a strange issue with permissions and the lack of ability to change permissions on a VM.

Someone had by mistake given the explicit Role VirtualMachineUser to the Built-in Group Users. Don’t ask how.

What did this cause?

  1. Every single user in the domain now had access to the machine - which was not a good thing.
  2. No-one could change the permissions for this VM!

Here is what a screenshot looked like when logging in as a Full Admin. I could not change the permissions.

Bad Permissions

It took me a while to understand why this addition caused these two issues.

What is the Users group? Microsoft’s definition:

The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users’ data.

Who are the members of the Users group on the vCenter Server?  All the Domain Users and Authenticated Users


Which means - that no matter who logs on to the server from the domain or locally - they would not be able to change the permissions on the VM. Because they are always - no matter what, part of Authenticated Users.

The reason that this happens is explained very well with some good examples in the
vSphere Basic System Administration Guide


The last line is what is important:

If a permission is defined for the user on that object, the user’s permission takes precedence over all group permissions.

So here we had a the Administrators who had full permission at the root (propagated), and another group (which all users are members of) that had a lesser permission defined at a specific level. So here the second permission was applied.

Now I was not planning on removing Authenticated Users from the default Users group - especially not from a production server.

So the only other way that was possible to solve this was to change the role add allow the additional rights to change permissions

Change role

And after I had given the correct rights I could now remove the permissions that were erroneously assigned

Fixed Permissions

Have you had any other weird permissions issues with vCenter? If so would you like to share?