Can you create a new user with out adding it to the local users group and assign that user as administratpr at the top level of trhe inventory?

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Edit the role for No Access. Grant Everything

Propagate the permissions down.

Make the changes you need.

Reset the permissions for the No Access role.

Should work. Had the same issue.

BTW, the Users local group includes the Authenitcated Users group so that's why your Local Admins are being blocked.

I can't edit the "No Access" role, assumeably because it is one of the core roles? I can edit any of the "Virtual Machine Administrator" and such roles.

I also tried removing the Authenticated Users group from Users to no avail.

I have another user account not in the "Users" group that is still denied access to the VMs so that didn't work either.

I'm betting that the Administrator account has "full access", but that it is inheriting the permission from somewhere higher in the hierarchy. The most specific application of a permission is the one that applies. Because the Administrator group belongs to the User group, and the User group is assigned No Access at the folder level, that overrides the inherited full access.

Easy fix, though. Just edit the permissions on the folder to explicitly grant the Administrators group full access.

A deny takes precedence over an Allow any place you put it. I was incorrect in my initial description. It's not a folder but two VMs that I cannot access. I can see the folder just fine but it has two VMs in it that I cannot reach because they each have No Access set for the Users group.

If I apply Administrator access to the folder I still cannot see the VMs beneath it.

Can you "deny" a permission in VC? I'm not recalling one...that sounds like Windows terminology. No Access is just a role with no permissions; it's not a permission that is explicitly denied, right? I'm wondering if the No Access was applied directly to the VMs, as well as the folder? Is that something you can check, and perhaps change, by connecting to the ESX server directly?

The "No Access" role is a deny in that none of the boxes (allows) are checked. Thus it takes precedence over allows. I cannot edit this role (if someone can tell me how that would work) in the same way that I cannot edit what an Administrator role is. I am attempting this by right-clicking the role and the "edit" option is greyed out. I can edit any roles except the 3 non-core roles (No Access, Read only, administrator). No Access was applied to the VMs themselves, not the folder.

There is no "deny" permission to take precedence over an "allow" permission. The No Access is taking precedence only because it has been applied on the VM, and the Administrator permission is being inherited. I can think of a couple fixes. One, figure out how to apply the Administrator permission directly to the VMs and all will be well, but not sure how to do that so not very helpful. Two, clone the VMs or create a new VM that uses the same vmdk files (make sure the original is powered off, though) and assign the correct permissions to the new VMs.

I can't see the VMs so I can't apply a new permission or clone them. I can access them on the ESX server by logging in as root but that doesn't help me with virtualcenter permissions. I may be able to manually copy the hard drives to a new vm and give that a shot. I was hoping to have the permissions aspect resolved directly to prevent downtime/possible breaking.

I guess there is no workaround (which means the system is doing it's job I suppose) I'll have to give destroying and recreating the VMs a shot.

I can login as the Administrator to the windows machine as well as VirtualCenter itself. I can even create new users and give them the Administrator role. The problem is all of the new users are included in the "Users" group on the local system which is what the No Access role was applied to. The original admin for this system used the local Administrators and Users groups, which is causing all the problems. I have since created groups specifically for VMWare Administrators and users but there is this legacy problem of two VMs having a No Access role on the "Users" group.

It seems the best bet is your recommendation to modify the database itself. This is the sort of information I was looking for as any workarounds dealing with accounts don't seem to work. I'll see if I can get in to the DB and poke around to fix the problem.

Hello,

You could also try unregistering the VM and reregistering under a new folder/resource pool... That may get rid of the perms as well. Not sure on that one.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

I found the database and manually deleted the rows from the Access table. Thanks.