Information Technology Reference
In-Depth Information
3.
Specify the username
root
and the password
vmware
, and click Login to log in to the
vCenter Server virtual appliance.
4.
Select the vCenter Server object from the inventory pane; then click the Permissions tab.
5.
Right-click a blank area of the Permissions tab and select Add Permission.
6.
In the Assign Permissions dialog box, click the Add button.
7.
From the Domain drop-down box, select the Active Directory domain.
8.
Find the user or group to add, click the Add button, and then click OK.
We do not recommend using a specii c user account here; instead, leverage a security
group within Active Directory. Recall that ESXi integration into Active Directory requires
a security group called ESX Admins; you might want to leverage that group here as well.
9.
In the Assign Permissions dialog box, select Administrator from the Assigned Role drop-
down list, and make sure that Propagate To Child Objects is selected.
This ensures that the selected Active Directory users and/or groups have the Administrator
role within the vCenter Server virtual appliance. By default, only the predei ned root
account has this role.
10.
Click OK to return to the vSphere Client.
After completing this process, you'll be able to log into the vCenter Server virtual appliance
with the vSphere Client using an Active Directory username and password. You're all set—the
vCenter Server virtual appliance is coni gured to use Active Directory.
Before we move on to the topic of managing permissions within vCenter Server, one quick
item that we'd like to discuss pertains to how vCenter Server interacts with ESXi hosts. It's
important to understand how vCenter Server uses a special user account as a proxy account for
managing your ESXi hosts.
Understanding the vpxuser Account
At the beginning of this chapter, we showed you how the ESXi security model employs users,
groups, roles, privileges, and permissions. We also showed you how to manage local users and
groups and to integrate your ESXi hosts with Active Directory.
As you'll see in the section “Managing vCenter Server Permissions,” vCenter Server uses the
same user/group-role-privilege-permission security model. When vCenter Server is present,
all activities are funneled through vCenter Server using SSO accounts that have been assigned
a role that has, in turn, been assigned to one or more inventory objects as a permission. This
combination of SSO account, role, and inventory object creates a permission that allows (or
disallows) the user to perform certain functions. The user accounts exist in Active Directory or
OpenLDAP or on the SSO Server computer itself, not on the ESXi hosts, and the permissions
and roles are dei ned within vCenter Server, not on the ESXi hosts. Because the user doesn't log
into the ESXi host directly, this minimizes the need for many local user accounts on the ESXi
host and thus provides better security. Alas, there still is a need, however small or infrequent,
for local accounts on an ESXi host used primarily for administration, which is why we talked
