VMware Cloud Community
i3b
Contributor
Contributor
‎10-06-2010 02:34 PM
Jump to solution

Installing vCenter 4.1 as Domain User

I have installed vCenter a multiple times but previously when I installed vCenter i ran the installation as administrator and checked "use SYSTEM Account" option during installalation. I recently read a security document about vCenter and it mentioned installing vCenter as a domain user that has local admnistrative access to the machine in which vCenter is installed. To test this functionality, I created a user in Active Directory which is running on Windows Server 2008 Standard and attempted to add that user to the local "administrators" group of the server which vCenter will install on (not in AD). When I tried added the user i got an error message stating that "user X is already a member of group "Administrators".

I did a google search on that error message and found out that basically unless you use something called a restricted group it's not possible to add a user domain user to a local group. If this is true then how is everyone installing vCenter without using the SYSTEM account. My goal in this configuration is to install vCenter and allow users to log into vCenter using there AD username and password. I would like to manager user rights using a combination of AD groups and vCenter roles. This environment is small and it's using SQL Express as the vCenter backend.

As you can probably tell I'm not an AD expert so if there is something that I completley misunderstanding feel free to say so.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
AndreTheGiant
Immortal
Immortal
‎10-06-2010 11:40 PM
Jump to solution

The steps are correct.

Seems that you have a GPO that block users in local admin:

http://technet.microsoft.com/en-us/library/cc756802.aspx

Or you have some duplicated SID...

How have you created the Windows Server? Maybe with a clone?

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro

View solution in original post

0 Kudos
8 Replies
i3b
Contributor
Contributor
‎10-06-2010 02:36 PM
Jump to solution

I forgot to add that the server which I will install vCenter on is a member of my AD domain and the OS is Windows Server 2008 Standard.

0 Kudos
AndreTheGiant
Immortal
Immortal
‎10-06-2010 10:18 PM
Jump to solution

"user X is already a member of group "Administrators".

Which AD groups is member your user? If it is member of domain admins (not a good choiche) then the message is correct.

Otherwise put in Domain Users and then use the User manager on your vCenter to add it to the local Administrators groups.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
0 Kudos
i3b
Contributor
Contributor
‎10-06-2010 11:25 PM
Jump to solution

Thanks for the reply. I created a new user called user1 which is a member of the "domain users" group in AD. I then logged onto my VC and attempted to add the domain user to the local "Administrators" group and I got the same message "user one" is already a member of group "Administrators".

0 Kudos
AndreTheGiant
Immortal
Immortal
‎10-06-2010 11:40 PM
Jump to solution

The steps are correct.

Seems that you have a GPO that block users in local admin:

http://technet.microsoft.com/en-us/library/cc756802.aspx

Or you have some duplicated SID...

How have you created the Windows Server? Maybe with a clone?

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
0 Kudos
pcerda
Virtuoso
Virtuoso
‎10-07-2010 06:45 AM
Jump to solution

Anyway, you can use AD users to log into vCenter Server without the need of to use domain accounts when you install vCenter. You only need the server be a member of AD Domain.

Also, in vCenter you can use AD users and groups in combination to vCenter roles and privileges.




Regards / Saludos

-

Patricio Cerda !http://www.images.wisestamp.com/linkedin.png!

VMware VCP-410

Join to Virtualizacion en Español group in Likedin

See My Blog

See My Linkedin Profile

-

Si encuentras que esta o cualquier otra respuesta ha sido de utilidad, vótalas. Gracias.

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

Regards / Saludos - Patricio Cerda - vExpert 2011 / 2012 / 2013
0 Kudos
i3b
Contributor
Contributor
‎10-07-2010 11:32 AM
Jump to solution

Thanks. I did not setup any GPO's at all. I basically used the Windows installation disk, installed W2K8 Server Standard and enabled DNS and AD. I'm not a Windows expert and it's a basic vanilla setup.

The link you sent referred to Windows Server 2003. I could not find any relevant documentation regarding Windows Server 2008. Do you know if the functionality is the same. As a test I just tried adding a domain user to a local group on a Windows 2003 Server and it worked perfectly. I was also able to access AD from vCenter (installed on Windows 2003) without any problems eventhough vCenter was running as a non domain user.

Thanks for your help.

0 Kudos
i3b
Contributor
Contributor
‎10-07-2010 11:34 AM
Jump to solution

@pcerda

When I tried that on Win2K8 I ran into the following problem

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102710...

I just tried it on a VC running on Win2K3 and it works as you described. Are you aware of anything in Win2K8 that could be preventing this.

Thanks.

0 Kudos
i3b
Contributor
Contributor
‎10-20-2010 11:45 AM
Jump to solution

@andrethegiant.

Thanks, you were right I had a duplicate SID. I created my vCenter VM from a template which I also used for my Domain Controller. Since I didnt run the cusotmization on the VM's created with the template, the SID of my vCenter VM was the same as the Domain Controller. I just recreated one of the VM's from the template and customized it which creatd a new SID and everything works as expected.

Thanks again!

0 Kudos