In vSphere 6.7, the HTML5 client may not retrieve all users and groups in an Active Directory domain. This is observed when attempting to apply a vCenter or Global permission to a user or group. 

The following log message is observed in /var/log/vmware/sso/ssoAdminserver.log:

[INFO ][2018-05-11T16:24:00.564Z][] PrincipalDiscoveryServiceImpl - [User {Name: vsphere-webclient-########-####-####-####-########80c4, Domain: vsphere.local} with role 'Administrator'] Find at most 200 principals by name matching criteria searchString=, domain=example.com

• Note: the domain value will differ in your environment

Using the flash-based vSphere Client allows you to query all users/groups details. Only html unable to update user details.

Note: This issue does not manifest in vCenter Server 6.7.0 c, but is encountered in all other versions of 6.7.

This issue is resolved in vCenter Server 6.7 Update U3j available at Broadcom Downloads .

For more information on patching a vCenter Server Appliance node, see Patching the vCenter Server Appliance and Platform Services Controller Appliance