Home » VMware Manuals » Computer Software » VMware 4817V62 » Manual Viewer

VMware 4817V62 Administration Guide - Page 211

Removing or Modifying Users and Groups, Best Practices for Users and Groups

Add to My Manuals
Save this manual to your list of manuals

Page 211 highlights

Chapter 18 Managing Users, Groups, Roles, and Permissions The group lists in vCenter Server and an ESX/ESXi host are drawn from the same sources as the user lists. If you are working through vCenter Server, the group list is called from the Windows domain. If you are logged on to an ESX/ESXi host directly, the group list is called from a table maintained by the host.. Create groups for the vCenter Server system through the Windows domain or Active Directory database. Create groups for ESX/ESXi hosts using the Users and Groups tab in the vSphere Client when connected directly to the host. NOTE If you use Active Directory groups, make sure that they are security groups and not distribution groups. Permisions assigned to distribution groups are not enforced by vCenter Server. For more information on security groups and distribution groups, see the Microsoft Active Directory documentation. Removing or Modifying Users and Groups When you remove users or groups, you also remove permissions granted to those users or groups. Modifying a user or group name causes the original name to become invalid. See the Security chapter in the ESX Configuration Guide or ESXi Configuration Guide for information about removing users and groups from an ESX/ESXi host. To remove users or groups from vCenter Server, you must remove them from the domain or Active Directory users and groups list. If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere environment and cannot log in again. Users who are currently logged in and are removed from the domain retain their vSphere permissions only until the next validation period (the default is every 24 hours). Removing a group does not affect the permissions granted individually to the users in that group, or those granted as part of inclusion in another group. If you change a user's name in the domain, the original user name becomes invalid in the vCenter Server system. If you change the name of a group, the original group becomes invalid only after you restart the vCenter Server system. Best Practices for Users and Groups Use best practices for managing users and groups to increase the security and manageability of your vSphere environment. VMware recommends several best practices for creating users and groups in your vSphere environment: n Use vCenter Server to centralize access control, rather than defining users and groups on individual hosts. n Choose a local Windows user or group to have the Administrator role in vCenter Server. n Create new groups for vCenter Server users. Avoid using Windows built-in groups or other existing groups. Using Roles to Assign Privileges A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions and read properties. When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to power on virtual machines in Pool A, but not those in Pool B, although the user would still be able to view the status of the virtual machines in Pool B. VMware, Inc. 211

Section	Page
vSphere Basic System Administration	1
Contents	3
Updated Information	9
About This Book	11
Getting Started	13
vSphere Components	15
Components of vSphere	15
vSphere Client Interfaces	17
Functional Components	17
Managed Components	19
Access Privileges Components	21
vCenter Server Modules	21
vCenter Components That Require Tomcat	22
Optional vCenter Server Components	22
Starting and Stopping the vSphere Components	25
Start an ESX/ESXi Host	25
Reboot or Shut Down an ESX/ESXi Host	25
Stop an ESX Host Manually	26
Starting vCenter Server	26
Verify That vCenter Server Is Running	26
Restart the vCenter Server System	26
Stop the vCenter Server System	27
Start the vSphere Client and Log In	27
Stop the vSphere Client and Log Out	28
vSphere Web Access	28
Log In to vSphere Web Access	28
Log Out of vSphere Web Access	28
VMware Service Console	29
Using DHCP for the Service Console	29
Connect to the Service Console	29
Using Commands on the Service Console	29
View the man Page for a Service Console Command	30
Using vCenter Server in Linked Mode	31
Linked Mode Prerequisites	31
Linked Mode Considerations	32
Join a Linked Mode Group After Installation	32
Reconciling Roles When Connecting vCenter Server to a Linked Mode Group	33
Isolate a vCenter Server Instance from a Linked Mode Group	34
Change the Domain of a vCenter Server System in a Linked Mode Group	34
Configure the URLs on a Linked Mode vCenter Server System	34
Linked Mode Troubleshooting	35
Configuring a Windows Firewall to Allow a Specified Program Access	36
Configuring Firewall Access by Opening Selected Ports	36
Monitor vCenter Server Services	37
Using the vSphere Client	39
Getting Started Tabs	40
Disable Getting Started Tabs	40
Restore Getting Started Tabs	40
Status Bar, Recent Tasks, and Triggered Alarms	40
Panel Sections	40
View Virtual Machine Console	41
Searching the vSphere Inventory	41
Perform a Simple Search	41
Perform an Advanced Search	42
Using Lists	42
Filter a List View	43
Export a List	43
Custom Attributes	43
Add Custom Attributes	44
Edit a Custom Attribute	44
Select Objects	44
Manage vCenter Server Plug-Ins	45
Install Plug-Ins	45
Disable and Enable Plug-Ins	45
Remove Plug-Ins	46
Troubleshooting Extensions	46
Save vSphere Client Data	46
Configuring Hosts and vCenter Server	47
Host Configuration	47
Configuring vCenter Server	48
Access the vCenter Server Settings	48
Configuring Communication Among ESX, vCenter Server, and the vSphere Client	49
Configure vCenter Server SMTP Mail Settings	49
Working with Active Sessions	49
View Active Sessions	49
Terminate Active Sessions	50
Send a Message to All Active Users	50
SNMP and vSphere	50
Using SNMP Traps with vCenter Server	50
Configure SNMP Settings for vCenter Server	51
Configure SNMP for ESX/ESXi	51
Configure SNMP Communities	52
Configure the SNMP Agent to Send Traps	52
Configure the SNMP Agent for Polling	53
Configure SNMP Management Client Software	53
SNMP Diagnostics	54
Using SNMP with Guest Operating Systems	55
VMware MIB Files	55
VMWARE-ROOT-MIB	56
VMWARE-ENV-MIB	56
VMWARE-OBSOLETE-MIB	57
VMWARE-PRODUCTS-MIB	60
VMWARE-RESOURCES-MIB	60
VMWARE-SYSTEM-MIB	61
VMWARE-TC-MIB	61
VMWARE-VC-EVENT-MIB	62
VMWARE-VMINFO-MIB	62
SNMPv2 Diagnostic Counters	65
System Log Files	65
View System Log Entries	65
External System Logs	66
ESX/ESXi System Logs	66
vSphere Client System Logs	66
VMware Server System Logs	67
Configure Syslog on ESXi Hosts	68
Export Diagnostic Data	68
Collecting Log Files	69
Set Verbose Logging	69
Collect vSphere Log Files	69
Collect ESX Log Files Using the Service Console	69
Turn Off Compression for vpxd Log Files	70
ESX/ESXi VMkernel Files	70
Managing the vSphere Client Inventory	71
Understanding vSphere Client Objects	71
Identifying Objects in the vSphere Client Inventory	71
Viewing Object Relationships	73
Add an Inventory Object	73
Add a Cluster, Resource Pool, Host, or Virtual Machine	73
Add a Folder or Datacenter	74
Moving Objects in the Inventory	74
Remove an Inventory Object	74
Browsing Datastores in the vSphere Client Inventory	75
Copying Virtual Machine Disks with the Datastore Browser	75
Managing Hosts in vCenter Server	77
About Hosts	77
Add a Host	78
Add a Host to a vCenter Server Cluster	78
Add a Host to a vCenter Server Datacenter	79
Completing the Add Host Process	79
Disconnecting and Reconnecting a Host	80
Disconnect a Managed Host	80
Reconnect a Managed Host	80
Reconnecting Hosts After Changes to the vCenter Server SSL Certificate	81
Remove a Host from a Cluster	81
Understanding Managed Host Removal	81
Remove a Managed Host from vCenter Server	82
Monitoring Host Health Status	83
Monitor Host Health Status When Connected Directly to a Host	83
Monitor Host Health Status When Connected to vCenter Server	84
Troubleshoot the Hardware Health Service	84
Virtual Machine Management	85
Consolidating the Datacenter	87
Consolidation First Time Use	88
Consolidation Prerequisites	88
About Consolidation Services	91
Configuring Consolidation Settings	91
Specify Default Credentials	91
Specify Active Domains	92
Find and Analyze Physical Systems	92
Viewing Analysis Results	93
About the Confidence Metric	93
Converting Physical Systems to Virtual Machines	93
Convert Systems Manually	94
Convert Systems Using Recommendations	94
Viewing Consolidation Tasks	94
Troubleshooting Consolidation	95
Negative Impact on vCenter Server Performance	95
Windows Systems Not Discovered	95
Windows Operating Systems Prevent Guided Consolidation from Collecting Performance Data	96
Available Domains List Remains Empty	96
Guided Consolidation Erroneously Reports Analysis Disabled	97
Disable Guided Consolidation	97
Uninstall Guided Consolidation	97
Deploying OVF Templates	99
About OVF	99
Deploy an OVF Template	99
Browse VMware Virtual Appliance Marketplace	101
Export an OVF Template	101
Managing VMware vApp	103
Create a vApp	103
Start the New vApp Wizard	104
Name the vApp	104
Select the vApp Destination	104
Allocate vApp Resources	105
Complete the vApp Creation	105
Populate the vApp	105
Create an Object Inside the vApp	105
Add an Object to a vApp	105
Edit vApp Settings	106
Edit vApp Startup and Shutdown Options	106
Edit vApp Resources	106
Edit vApp Properties	107
View vApp License Agreement	107
Edit IP Allocation Policy	107
View Additional OVF Sections	107
Configure Advanced vApp Properties	108
Define OVF Environment Properties	108
Edit Advanced IP Allocation Properties	109
Configuring IP Pools	109
Specify an IP Address Range	109
Select DHCP	110
Specify DNS Settings	110
Specify a Proxy Server	110
Clone a vApp	111
Power On a vApp	111
Power Off a vApp	112
Edit vApp Annotation	112
Creating Virtual Machines	113
Access the New Virtual Machine Wizard	113
Select a Path Through the New Virtual Machine Wizard	114
Enter a Name and Location	114
Select a Resource Pool	114
Select a Datastore	115
Select a Virtual Machine Version	115
Select an Operating System	115
Select the Number of Virtual Processors	115
Configure Virtual Memory	116
Configure Networks	116
About VMware Paravirtual SCSI Adapters	116
Select a SCSI Adapter	117
Selecting a Virtual Disk Type	117
About Virtual Disk Formats	118
Create a Virtual Disk	118
Use an Existing Virtual Disk	118
Create Raw Device Mappings	119
Virtual Disk Compatibility Modes	119
Do Not Create a Disk	119
Complete Virtual Machine Creation	120
Installing a Guest Operating System	120
Install a Guest Operating System from Media	120
Installing and Upgrading VMware Tools	120
Install VMware Tools on a Windows Guest	122
Install VMware Tools on a Linux Guest from the X Window System	122
Install or Upgrade VMware Tools on a Linux Guest with the tar Installer	123
Install or Upgrade VMware Tools on a Linux Guest with the RPM Installer	125
Install VMware Tools on a Solaris Guest	126
Install VMware Tools on a NetWare Guest	127
Display the VMware Tools Properties Dialog Box	128
VMware Tools Upgrades	128
Upgrade VMware Tools Manually	128
Configure Virtual Machines to Automatically Upgrade VMware Tools	129
Custom VMware Tools Installation	129
WYSE Multimedia Support	130
Install WYSE Multimedia Support with VMware Tools	130
Install WYSE Multimedia Support Using Add or Remove Programs	130
Install WYSE Multimedia Support as Part of a VMware Tools Upgrade	130
Managing Virtual Machines	133
Changing Virtual Machine Power States	134
Transitional Power States	135
Automatically Start or Shut Down Virtual Machines	135
Configure vSphere Toolbar Power Controls	135
Power On or Power Off a Virtual Machine Manually	136
Suspend a Virtual Machine	136
Resume a Suspended Virtual Machine	136
Scheduling a Power State Change for a Virtual Machine	137
Adding and Removing Virtual Machines	137
Adding Existing Virtual Machines to vCenter Server	137
Remove Virtual Machines from vCenter Server	137
Remove Virtual Machines from the Datastore	138
Return a Virtual Machine or Template to vCenter Server	138
Configure Virtual Machine Startup and Shutdown Behavior	138
Virtual Machine Configuration	141
Virtual Machine Hardware Versions	141
Determine the Hardware Version of a Virtual Machine	142
Virtual Machine Properties Editor	142
Edit an Existing Virtual Machine Configuration	142
Virtual Machine Hardware Configuration	143
Change the DVD/CD-ROM Drive Configuration	143
Change the Floppy Drive Configuration	144
Change the SCSI Device Configuration	145
Change the Virtual Disk Configuration	145
Change the Memory Configuration	145
Change the Virtual Ethernet Adapter (NIC) Configuration	146
Change the Parallel Port Configuration	146
Change the SCSI Controller or SCSI Bus Sharing Configuration	146
Change the Serial Port Configuration	147
Change the Virtual Processor or CPU Configuration	148
Virtual Machine Options	148
Change the General Settings of a Virtual Machine	149
Change the VMware Tools Options for a Virtual Machine	149
Change Power Management Settings for a Virtual Machine	150
Change Advanced Virtual Machine Settings	150
Virtual Machine Resource Settings	153
CPU Resources	153
Change CPU Settings of a Virtual Machine	153
Advanced CPU Settings	153
Change Advanced CPU Settings of a Virtual Machine	154
Memory Resources	154
Change the Memory Settings of a Virtual Machine	155
Advanced Memory Resources	155
Associate Memory Allocations with a NUMA Node	155
Disk Resources	155
Change the Disk Settings of a Virtual Machine	156
Adding New Hardware	156
Rescan a Host	156
Start the Add Hardware Wizard	157
Add a Serial Port to a Virtual Machine	157
Add a Parallel Port to a Virtual Machine	158
Add a DVD/CD-ROM Drive to a Virtual Machine	158
Add a Floppy Drive to a Virtual Machine	158
Add an Ethernet Adapter (NIC) to a Virtual Machine	159
Network Adapter Types	159
Network Adapters and Legacy Virtual Machines	160
Add a Hard Disk to a Virtual Machine	160
Add a SCSI Device to a Virtual Machine	161
Add a PCI Device	162
Add a Paravirtualized SCSI Adapter	162
About VMware Paravirtual SCSI Adapters	163
Add a USB Controller to a Virtual Machine	163
Converting Virtual Disks from Thin to Thick	163
Determine the Disk Format of a Virtual Machine	164
Convert a Virtual Disk from Thin to Thick	164
Working with Templates and Clones	165
Creating Templates	165
Convert Virtual Machine to Template	166
Clone Virtual Machine to Template	166
Clone Existing Template	167
Edit a Template	167
Change Template Name	168
Deploy Virtual Machines from Templates	168
Convert Templates to Virtual Machines	169
Deleting Templates	169
Remove Templates from Inventory	169
Delete Template from Disk	169
Regain Templates	170
Clone Virtual Machines	170
Create a Scheduled Task to Clone a Virtual Machine	171
Customizing Guest Operating Systems	173
Preparing for Guest Customization	173
Virtual Hardware Requirements for Guest Customization	174
About SCSI Disks	174
Setting Up SCSI Disks	174
Windows Requirements for Guest Customization	174
Linux Requirements for Guest Customization	175
Naming Requirements for a Guest Operating System	175
Customize Windows During Cloning or Deployment	175
Customize Linux During Cloning or Deployment	176
Create a Customization Specification for Linux	177
Create a Customization Specification for Windows	177
Managing Customization Specification	179
Edit Customization Specifications	179
Export Customization Specifications	179
Remove a Customization Specification	179
Copy a Customization Specification	180
Import a Customization Specification	180
Completing a Guest Operating System Customization	180
View the Error Log on Windows	181
View the Error Log on Linux	181
Migrating Virtual Machines	183
Cold Migration	184
Migrating a Suspended Virtual Machine	184
Migration with VMotion	184
Host Configuration for VMotion	185
VMotion Shared Storage Requirements	185
VMotion Networking Requirements	185
CPU Compatibility and Migration	186
CPU Compatibility Scenarios	186
CPU Families and Feature Sets	187
NX/XD Considerations	187
SSE3 Considerations	188
SSSE3 Considerations	188
SSE4.1 Considerations	188
About Enhanced VMotion Compatibility	188
EVC Requirements	188
Create an EVC Cluster	189
Enable EVC on an Existing Cluster	190
Change the EVC Mode for an Existing Cluster	191
CPU Compatibility Masks	191
Virtual Machine Configuration Requirements for VMotion	192
Swapfile Location Compatibility	192
Migrating Virtual Machines with Snapshots	193
Migration with Storage VMotion	193
Storage VMotion Requirements and Limitations	193
Migrate a Powered-Off or Suspended Virtual Machine	194
Migrate a Powered-On Virtual Machine with VMotion	195
Migrate a Virtual Machine with Storage VMotion	196
About Migration Compatibility Checks	197
Storage VMotion Command-Line Syntax	198
Determine the Path to a Virtual Machine Configuration File	198
Determine the Path to a Virtual Disk File	199
Storage VMotion Examples	199
Using Snapshots	201
About Snapshots	201
Relationship Between Snapshots	202
Snapshots and Other Activity in the Virtual Machine	202
Take a Snapshot	203
Change Disk Mode to Exclude Virtual Disks from Snapshots	203
Using the Snapshot Manager	204
Restore a Snapshot	204
Delete a Snapshot	204
Restore a Snapshot	205
Parent Snapshot	205
Revert to Snapshot Command	205
Revert to Parent Snapshot	206
System Administration	207
Managing Users, Groups, Roles, and Permissions	209
Managing vSphere Users	209
vCenter Server Users	210
Host Users	210
Groups	210
Removing or Modifying Users and Groups	211
Best Practices for Users and Groups	211
Using Roles to Assign Privileges	211
Default Roles for ESX/ESXi and vCenter Server	212
Create a Role	213
Clone a Role	214
Edit a Role	214
Remove a Role	214
Rename a Role	215
Permissions	215
Hierarchical Inheritance of Permissions	216
Multiple Permission Settings	218
Example 1: Inheritance of Multiple Permissions	218
Example 2: Child Permissions Overriding Parent Permissions	219
Example 3: User Permissions Overriding Group Permissions	219
Permission Validation	220
Assign Permissions	220
Adjust the Search List in Large Domains	221
Change Permission Validation Settings	221
Change Permissions	221
Remove Permissions	222
Best Practices for Roles and Permissions	222
Required Privileges for Common Tasks	223
Monitoring Storage Resources	225
Working with Storage Reports	225
Display Storage Reports	226
Export Storage Reports	226
Filter Storage Reports	226
Customize Storage Reports	227
Working with Storage Maps	227
Display Storage Maps	227
Export Storage Maps	227
Hide Items on Storage Maps	228
Move Items on Storage Maps	228
Using vCenter Maps	229
vCenter VMotion Maps	230
vCenter Map Icons and Interface Controls	230
View vCenter Maps	231
Print vCenter Maps	231
Export vCenter Maps	231
Working with Alarms	233
Alarm Triggers	234
Condition and State Triggers	234
Condition and State Trigger Components	235
Virtual Machine Condition and State Triggers	236
Host Condition and State Triggers	237
Datastore Condition and State Triggers	238
Event Triggers	238
Event Trigger Components	239
Virtual Machine Event Triggers	239
Host Event Triggers	240
Datastore Event Triggers	241
Datacenter Event Triggers	241
Cluster Event Triggers	242
dvPort Group Event Triggers	242
vNetwork Distributed Switch Event Triggers	242
Network Event Triggers	243
Alarm Actions	243
Default vSphere Alarm Actions	243
Disabling Alarm Actions	245
SNMP Traps as Alarm Actions	245
Email Notifications as Alarm Actions	245
Running Scripts as Alarm Actions	246
Alarm Environment Variables	246
Alarm Command-Line Parameters	247
Alarm Reporting	248
Creating Alarms	248
Alarm Settings – General	249
Alarm Settings – Triggers	250
Set Up a Condition or State Trigger	250
Set Up an Event Trigger	251
Alarm Settings – Reporting	252
Managing Alarms	252
Acknowledge Triggered Alarms	252
Change Alarm Attributes	252
Disable Alarms	253
Export a List of Alarms	253
Identifying Triggered Alarms	254
Remove Alarms	254
Reset Triggered Event Alarms	254
View Alarms	255
View Alarms Defined on an Object	255
View Alarms Triggered on an Object	255
View All Alarms Triggered in vCenter Server	255
Managing Alarm Actions	256
Disable Alarm Actions	256
Enable Alarm Actions	256
Identifying Disabled Alarm Actions	256
Remove Alarm Actions	257
Run a Command as an Alarm Action	257
Configure SNMP Settings for vCenter Server	258
Configure vCenter Server SMTP Mail Settings	258
Preconfigured VMware Alarms	259
Working with Performance Statistics	261
Statistics Collection for vCenter Server	261
Data Counters	262
Collection Intervals	263
Configure Collection Intervals	264
Enable or Disable Collection Intervals	265
Collection Levels	266
Using Collection Levels Effectively	267
How Metrics Are Stored in the vCenter Server Database	267
Estimate the Statistics Impact on the vCenter Server Database	268
vCenter Server Performance Charts	268
Overview Performance Charts	269
View the Overview Performance Charts	269
View the Overview Performance Charts Help	269
Advanced Performance Charts	270
View the Advanced Performance Charts	270
Save Chart Data to a File	271

Match case Limit results 1 per page

The group lists in vCenter Server and an ESX/ESXi host are drawn from the same sources as the user lists. If

you are working through vCenter Server, the group list is called from the Windows domain. If you are logged

on to an ESX/ESXi host directly, the group list is called from a table maintained by the host..

Create groups for the vCenter Server system through the Windows domain or Active Directory database.

Create groups for ESX/ESXi hosts using the Users and Groups tab in the vSphere Client when connected

directly to the host.

OTE

If you use Active Directory groups, make sure that they are security groups and not distribution groups.

Permisions assigned to distribution groups are not enforced by vCenter Server. For more information on

security groups and distribution groups, see the Microsoft Active Directory documentation.

Removing or Modifying Users and Groups

When you remove users or groups, you also remove permissions granted to those users or groups. Modifying

a user or group name causes the original name to become invalid.

See the Security chapter in the

ESX Configuration Guide

ESXi Configuration Guide

for information about

removing users and groups from an ESX/ESXi host.

To remove users or groups from vCenter Server, you must remove them from the domain or Active Directory

users and groups list.

If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere

environment and cannot log in again. Users who are currently logged in and are removed from the domain

retain their vSphere permissions only until the next validation period (the default is every 24 hours). Removing

a group does not affect the permissions granted individually to the users in that group, or those granted as

part of inclusion in another group.

If you change a user’s name in the domain, the original user name becomes invalid in the vCenter Server

system. If you change the name of a group, the original group becomes invalid only after you restart the vCenter

Server system.

Best Practices for Users and Groups

Use best practices for managing users and groups to increase the security and manageability of your vSphere

environment.

VMware recommends several best practices for creating users and groups in your vSphere environment:

Use vCenter Server to centralize access control, rather than defining users and groups on individual hosts.

Choose a local Windows user or group to have the Administrator role in vCenter Server.

Create new groups for vCenter Server users. Avoid using Windows built-in groups or other existing

groups.

Using Roles to Assign Privileges

A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions

and read properties.

When you assign a user or group permissions, you pair the user or group with a role and associate that pairing

with an inventory object. A single user might have different roles for different objects in the inventory. For

example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular

user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to

power on virtual machines in Pool A, but not those in Pool B, although the user would still be able to view the

status of the virtual machines in Pool B.

Chapter 18 Managing Users, Groups, Roles, and Permissions

VMware, Inc.

211