Active Directory (AD) users are unable to perform certain operations in vCenter—such as placing an ESXi host into maintenance mode—even though they are assigned an Administrator-level role. These operations succeed when using the default SSO [email protected] account but remain unavailable for AD-authenticated users.

vCenter 7.x, 8.x 

This behavior typically arises due to conflicting role assignments across multiple Active Directory groups. If a user is simultaneously a member of:

• A group assigned Administrator permissions, and

• Another group assigned Read-Only or other restrictive roles,

vCenter may calculate effective permissions that reflect the most restrictive access level, particularly when inheritance or role precedence is ambiguous across object hierarchies.

• Review AD group memberships for the affected user.

• Identify conflicting groups that are assigned limited roles (e.g., Read-Only) within the vCenter hierarchy.

• Remediate using one of the following options:

  • Remove the user from conflicting Read-Only groups.

  • Adjust permission assignments to ensure Administrator-level role takes precedence at the relevant object level.

• Validate effective permissions by navigating to the object (e.g., ESXi host), selecting the Permissions tab, and checking the user’s resolved role.

vCenter determines access based on cumulative effective permissions. Restrictive roles applied through group membership—especially at or below the object level—can suppress higher-level privileges unless explicitly overridden. By removing or adjusting these conflicting role assignments, the user regains full functionality for operations like entering maintenance mode.