Wednesday, 17 December 2008

Locked out of vCenter ?

When you’re locked out of your vCenter Server because someone has assigned the “Read-Only” role to the “Domain Users” group and has set the permissions at the highest level, you’re in deep trouble. You can log on to vCenter but can’t change anything because your Administrator account is also a “Domain User”.  There are several ways to fix this problem. First of all never use default Windows groups to create VC roles. Second there’s an easy way and a hard way.

The easy way is to shutdown VC and disable authorization checks by adding:

<security>
       <enabled>false</enabled>
</security>

within the <config> tags of vpxd.cfg. Start VC and remove the permission, then shut it down and turn security back on again by removing these tags.

The hard way is to open the VC SQL database and open the table : VPX_ACCESS, then add another row :

ID: 1
Principal : Administrators
Role_ID : -1
ENTITY_ID : 1
FLAG : 3

Afterwards you need to restart the vCenter Server services. Credits to Koen Warson and Phil Cohen.

Posted by
Eric Sloof
in VMware at 20:16 | 7 Comments | No Trackbacks
Bookmark and Share
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as (Linear | Threaded)
Nice one to know. I had to rebuild my database once, because I did something similar by mistake.
#1 Arnim van Lieshout on 2008-12-18 08:17 (Reply)
Thanks for posting! Maybe its also good to know, where the vpxd.cfg is usually located: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter
#2 Steffen on 2008-12-18 09:05 (Reply)
Eric, tell uss what did you do to have this enabled ;-)
#3 Tomas (Homepage) on 2008-12-18 10:02 (Reply)
Tomas, I’m delivering a VMware Install and Configure training at XTG in Gouda, I’ll put the blame on my students. :-) Eric Sloof
#3.1 Eric Sloof (Homepage) on 2008-12-18 10:07 (Reply)
No you're not, apparently you're bloggin' ;_)
#4 Anonymous on 2008-12-18 10:30 (Reply)
Hi Anoniem, Tracked down your IP-Address. You shouldn’t comment on websites during the IC delivery. Hee Peet :-) Groeten, Eric
#4.1 Eric Sloof (Homepage) on 2008-12-18 11:07 (Reply)
This doesn't seem to work on vcenter 4.1... Is it changed?
#5 Rene on 2011-04-28 12:22 (Reply)
Add Comment
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
   
Submitted comments will be subject to moderation before being displayed.
 
 


Twitter RSS FeedLinkedIn

www.hetesambal.nl

Veeam Webinar with Doug Hazelman: 5 Steps to Successful Backup & Replication for Hyper-V! Watch it now >>


Recent Entries

Video - Configure vSphere SRM Replication for a Single VM
Thursday, February 2 2012
VMware Project Onyx for vSphere 5
Wednesday, February 1 2012
Video - Configure ESXi host swapping to a solid-state disk
Sunday, January 29 2012
New Book - The Official VCP5 Certification Guide
Saturday, January 28 2012
Video - VMware vCenter Infrastructure Navigator - Install and Configure
Friday, January 27 2012
Video - Installing vCenter Server 5.0 - Quick Start
Thursday, January 26 2012
Video - VMware vCenter Operations Manager 5.0 - Install and Configure
Wednesday, January 25 2012
VMware vCenter Operations 5.0 - Introduction Video
Tuesday, January 24 2012
What happens to resource pools when vCenter goes down?
Monday, January 23 2012
Video - vCloud Director 1.5 - Quick Start
Sunday, January 22 2012

Archive