This post was an oversight from some work I did with AD delegation in vCenter – despite setting up Active Directory and Delegation – one thing I didn’t cover was how to give over management rights over the SSO system itself.
Even if you give a Microsoft AD user/group complete rights to vCenter from a top-level container – this doesn’t necessarily give those AD user/groups rights to manage SSO itself. This handled by different subset of permissions and rights. Typically, SysAdmins like to do this delegation to prevent situations such as loosing, forgetting or getting locked out of VMware SSO, which then prevents further administration. VMware SSO has its own systems of password policies and lockouts.
1. Login to the vSphere Web Client as administrator@vsphere.local
2. From the home location, navigate to >>Administration >>Singe Sign-on >>Users & Groups
3. Select the Groups Tab and Select the Administrators group
4. Click the Add Member icon which resembles the figure of person with small green +
5. From the Domain and User and Group pull-down lists – select your Microsoft Active Directory Domain, and Show Groups First
6. Locate your delegated user/group from the list, and click the Add button