• Users or groups are unable to login to vCenter Server after restarting the VMware VirtualCenter Server service.
• The VPX_ACCESS table within the vCenter Server database is empty or does not contain entries for users or groups for a configured identity source.
• The vpxd.log file, located at C:\ProgramData\VMware\VMware VirtualCenter\Logs\ on vCenter Server, may contain errors similar to:
  
  [7FFFF3B09700 error 'Default'] Removing invalid permission 8001: user Domain\user not found
  [7FFFF3B09700 warning 'Default'] Removing permission for entity "group-d1", user "Domain\user", role -2. Reason: User or group not found
  

This behavior is modified to stop removing permission objects during startup in these versions of vCenter Server:

• vCenter Server 5.0 Update 3 and later
• vCenter Server 5.1 Update 2 and later
• vCenter Server 5.5 GA and later

• vCenter Server 5.0, available at VMware Downloads
• vCenter Server 5.1, available at VMware Downloads

• vCenter Server 5.0 Update 3 Release Notes
• vCenter Server 5.1 Update 2 Release Notes

Note: This change only impacts the startup behavior of vCenter Server. A validation check of all permission objects still occur every 24 hours and vCenter Server removes any permission objects in which a user or group is not found.

To resolve this issue, restore vCenter Server permissions from a previous backup of the vCenter Server Database.

Notes:

• It is possible to restore the vCenter Server permissions if a backup of the vCenter Server database is available before the permission objects were removed from the VPX_ACCESS table. This process involves the use of these databases:
  
  
  • vCenterDB – The current, running version of the vCenter Server database
  • vCenterBackupDB – A restored backup of the vCenter Server database before the permission objects were removed
  • TempvCenterDB – A temporary database used for recovery that gets destroyed after the recovery process
    
    
• The steps reference the generic names provided for each database type and use commands in Microsoft SQL Management Studio. The names and commands may vary based upon the configuration of your environment. It is highly recommended to engage your Database Administrator before proceeding.

To restore vCenter Server permission from a previous backup of the vCenter Server database:

1. Stop the VMware VirtualCenter Server service.
   
   For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).
   
   
2. Restore a backup of the vCenter Server database to a temporary database:
   
   
   1. Open a Microsoft SQL Management Studio connection to the SQL Server instance in which the vCenter Server database resides.
   2. Right-click the location to which the database backup must be stored and click Restore Database.
   3. In the To Database field, enter TempvCenterDB.
   4. In the From Database field, select the name of your vCenter Server database.
      
      Note: In this case, the vCenter Server database is vCenterDB.
      
      
   5. Select the backup file to restore ensuring that it was created before the permission objects were removed.
   6. Click OK to begin the restore process.
      
      
3. Strip all data from the VPX_ACCESS table in the original vCenter Server database:
   
   
   1. Open a Microsoft SQL Management Studio connection to the SQL Server instance in which the vCenter Server database resides.
   2. Select New Query and enter this query:
      
      USE vCenterDB
      GO
      TRUNCATE TABLE vpx_access
      
      
   3. Click Execute.
      
      
4. Drop the VPX_ACCESS constraints:
   
   
   1. In Microsoft SQL Management Studio, select New Query and enter this query:
      
      USE vCenterDB
      GO
      IF EXISTS (SELECT * FROM sys.foreign_keys WHERE object_id = OBJECT_ID(N'[dbo].[FK_VPX_ACCE_REF_VPX_ENTI]') AND parent_object_id = OBJECT_ID(N'[dbo].[VPX_ACCESS]'))
      ALTER TABLE [dbo].[VPX_ACCESS] DROP CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI]
      GO
      
      
   2. Click Execute.
      
      
5. Import the old VPX_ACCESS data from the temporary database:
   
   
   1. In Microsoft SQL Management Studio, select New Query and enter this query:
      
      INSERT INTO vCenterDB.[dbo].[VPX_ACCESS]
      SELECT * FROM TempvCenterDB.[dbo].[VPX_ACCESS]
      
      
   2. Click Execute.
      
      
6. Recreate the VPX_ACCESS constraints:
   
   
   1. In Microsoft SQL Management Studio, select New Query and enter this query:
      
      USE vCenterDB
      GO
      ALTER TABLE [dbo].[VPX_ACCESS] WITH CHECK ADD CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI] FOREIGN KEY([ENTITY_ID])
      REFERENCES [dbo].[VPX_ENTITY] ([ID])
      ON DELETE CASCADE
      GO
      
      ALTER TABLE [dbo].[VPX_ACCESS] CHECK CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI]
      GO
      
      
   2. Click Execute.
      
      
7. Start the VMware VirtualCenter Server service.
   
   For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).