Administrator access is downgraded to read-only in vCenter Server 6.0
search cancel

Administrator access is downgraded to read-only in vCenter Server 6.0

book

Article ID: 335973

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
When attempting to log in to vCenter Server 6.0 with an administrator account, you experience one of these symptoms:
  • Members of vCenter Server Administrators group are restricted to read-only permissions.
  • You are unable to log in with the [email protected] account.
  • You cannot perform administrative tasks with an administrator user.
  • You see the error:

    You do not have permission to login to the server


Environment

VMware vCenter Server 6.0.x

Cause

This issue occurs if a user is a member of more than one Active Directory group and one of these groups is configured with a read-only role on an object (for example, an ESXi host). In this case, the read-only permission is applied to that object despite the presence of an administrators permission that has been propagated from a higher level.

Note: If the read only permission is applied at the highest level, administrators or the [email protected] account may not have the access rights to remove this permission.

In previous versions of vCenter Server, access permissions were stored in the VPX_ACCESS table contained in the vCenter Server database. For more information, see Administrator access is downgraded to read-only in vCenter after read-only users are added (1005680).

Resolution

To resolve the issue during an account or group lockout, you must reinstate administrative access to the system.

To reinstate administrative access to the system, use one of these options.
  • This procedure requires you to create a separate user account, which is a member of the [email protected] group
    1. Log in to the vSphere Web Client with the [email protected] user.
    2. Navigate to Administration>Users and Groups>Users.
    3. Click Create New User account and add a new user.
    4. After creating a new user account, click Groups.
    5. Add the user to the [email protected] group.
    6. Log in with the user account created in step 3.
    7. On the Home Page, click on vCenter Inventory Lists.
    8. Under Resources, click vCenter Servers, locate and select the affected vCenter Server.
    9. Click the Manage tab.
    10. Click Permissions.
    11. Right-click the [email protected] user and select Change Role.
    12. Switch the role from Read-Only to Administrator and click OK.
  • This procedure requires a separate previously created user account that is a member of the [email protected] group
    1. Log in to the vSphere Web Client with the [email protected] user.
    2. Select Hosts and Clusters>Manage>Permissions.
    3. Change the role for the affected user(s) and/or group(s).


Additional Information

Administrator access is downgraded to read-only in vCenter after read-only users are added
管理者のアクセス権が vCenter Server 6.0 で読み取り専用にダウングレードされる
vCenter Server 6.0 中的管理员访问权限降级为只读
Acesso de administrador reduzido a somente leitura no vCenter Server 6.0
El acceso de administrador se degradó a solo lectura en vCenter Server 6.0

Powered by Wolken Software