Removing Local Administrators from the vCenter Server Administrator role
search cancel

Removing Local Administrators from the vCenter Server Administrator role

book

Article ID: 305822

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
When you are attempt to secure your vCenter Server by removing access from non-vCenter Server Administrators, you experience these symptoms:
  • You are unable to remove the Administrators group from the default Administrator role at the vCenter Server top level permissions tab.
  • Removing an Administrators group in vCenter Server fails with the error:

    The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group.


Environment

VMware vCenter Server 

Cause

This is expected behavior and a safety precaution to prevent accidental lockout from the vCenter Server.

Resolution

To resolve this issue, grant the Administrator role to another user or group before attempting to remove the local Administrators group from the vCenter Server Administrator role.
To grant the Administrator role to another user or group:
  1. On the vCenter Server, go to the Permissions tab, right-click and click Add Permission.
  2. Click Add and click on a user or group.
  3. Under Assigned Role, select Administrator from the dropdown menu.
  4. Ensure that Propagate to Child Objects is selected and click OK.
You can now remove the local Administrators group from the vCenter Server Administrator role.