Ensure to take a snapshot of the vCenter before proceeding.

Use this LDAP command to find the impacted group and its global permission entry:

/opt/likewise/bin/ldapsearch -LLL -h localhost -p 389 -x -b "dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W  + '*'> $(hostname)_"`date +"%d-%m-%Y"`".ldif

Edit the above command if the domain is not vsphere.local.

Enter the password for the [email protected] user when prompted for the LDAP password.

Search the .ldif file generated by the above command for the following entry.

The entry should look like:

cn=ImpactedGroupName@true@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local

Use the following LDAP command to delete the global permission for the active directory group that the impacted domain user is a member of from the vCenter global permissions:

/opt/likewise/bin/ldapdelete -h localhost \
  -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W \
  "cn=ImpactedGroupName@true@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local"

Log into the vCenter with [email protected] and add the active directory group back in Global Permission and provide it the administrator role.

Log out and log into the vCenter with the impacted domain user that is a member of the active directory group that has been added back to global permissions and now the use can create, clone, edit and delete roles in the administration page as these options are no longer greyed out.