In vSphere 6.7, the HTML5 client may not retrieve all users and groups in an Active Directory domain. This is observed when attempting to apply a vCenter or Global permission to a user or group. 

The following log message is observed in /var/log/vmware/sso/ssoAdminserver.log:

[INFO ][2018-05-11T16:24:00.564Z][] PrincipalDiscoveryServiceImpl - [User {Name: vsphere-webclient-########-####-####-####-########80c4, Domain: vsphere.local} with role 'Administrator'] Find at most 200 principals by name matching criteria searchString=, domain=example.com

• Note: the domain value will differ in your environment

Using the flash-based vSphere Client allows you to query all users/groups details. Only html unable to update user details.

Note: This issue does not manifest in vCenter Server 6.7.0 c, but is encountered in all other versions of 6.7 .

This issue is resolved in vCenter Server 6.7 Update U3j available at Broadcom Downloads .

For more information on patching a vCenter Server Appliance node, see Patching the vCenter Server Appliance and Platform Services Controller Appliance