Accidental Deletion of vCenter Internal Groups (e.g., DCAdmins, ActAsUsers)
search cancel

Accidental Deletion of vCenter Internal Groups (e.g., DCAdmins, ActAsUsers)

book

Article ID: 397387

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

As part of a cleanup process, a user may accidentally delete internal groups in vCenter, such as DCAdmins or ActAsUsers, without realizing the potential impact. This deletion can lead to unexpected behavior and disruptions in vCenter functionality.

Symptoms:

  •  vCenter services may go down or become unavailable
  •  Certificate renewals may be denied
  •  Other unexpected behavior may occur due to the missing internal groups

Cause

The deletion of internal groups in vCenter can cause these issues because these groups are essential for proper vCenter functionality and security.

Resolution

To resolve this issue, the deleted internal groups need to be recreated. Here's a step-by-step guide to recreate the groups:

Step 1: Take a vCenter Snapshot/Backup

Before making any modifications, take an offline snapshot of all vCenter servers in linked mode.

Step 2: Add Missing Solution User to ActAsUser Group

     1 Login to vCenter using SSH and enable shell.

     2 Get the Machine ID of the vCenter:
    /usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost

           Output will give an ID <machine-id>.

     3. Check if vpxd solution user exists:

     ldapsearch -o ldif-wrap=no -LLL -h localhost -b "dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w '<SSOAdminPassword>' |    grep "sAMAccountName: vpxd-<machine-id>"

  If it exists, output will be sAMAccountName: vpxd-<machine-id>. If it does not exist, create it using below command:

     /usr/lib/vmware-vmafd/bin/dir-cli svcaccount create --name vpxd-<machine-id>

      4. Get the list of users under ActAsUsers group:

      ldapsearch -o ldif-wrap=no -LLL -h localhost -b "cn=ActAsUsers,dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w         '<SSOAdminPassword>' member

      5. Add the user to ActAsUsers group:
         /usr/lib/vmware-vmafd/bin/dir-cli group modify --name ActAsUsers --add vpxd-<machine-id>

By following these steps, you should be able to add the missing solution user to the ActAsUsers group and restore vCenter functionality.

Additional Information

Prevention:
To avoid accidental deletion of internal groups in the future, it's recommended to:

  • Take snapshot of the VC before making any changes to the vCenter. 
  • Verify the groups and permissions before making any changes
  • Take regular backups of vCenter configuration and settings
Powered by Wolken Software