User/Group Auto Add when joining DomainHow do I edit “PersonalTitle” field in Active DirectoryWhat happens to local user accounts when a computer joins a domain?Set default domain user groups on user/computer creationUser in domain admin group cannot access directory the group has permission to accessHow to allow active directory users to remote desktop in?Run a Logon Script for User Group for Domain ServerAD group owner cannot add new usersJoining workstations to the domain as a member of Protected Users group (Delegation vs User Rights)Active Directory & Group Policy - Standard User PermissionsActive Directory - Prevent default user permission to sign onto all Domain Computers
Counterfeit checks were created for my account. How does this type of fraud work?
Understanding the reasoning of the woman who agreed with Shlomo to "cut the baby in half"
What can I do with a research project that is my university’s intellectual property?
Why don't countries like Japan just print more money?
Why tighten down in a criss-cross pattern?
`-` in tar xzf -
Is it illegal to withhold someone's passport and green card in California?
RandomInteger with equal number of 1 and -1
Can humans ever directly see a few photons at a time? Can a human see a single photon?
How to execute a command when ALL of the players are close enough
What is "industrial ethernet"?
How many people are necessary to maintain modern civilisation?
How do I farm creepers for XP without them exploding?
How long would it take to cross the Channel in 1890's?
Will generated tokens be progressively stronger when using Cathar's Crusade and Sorin, Grim Nemesis?
How can I get my left hand to sound legato when I'm leaping?
UK - Working without a contract. I resign and guy wants to sue me
Helping ease my back pain by studying 13 hours everyday , even weekends
Is there any difference between Т34ВМ1 and КМ1858ВМ1/3?
Has there been any indication at all that further negotiation between the UK and EU is possible?
Identifying a distribution
Am I legally required to provide a (GPL licensed) source code even after a project is abandoned?
What is the meaning of "понаехать"?
Methodology: Writing unit tests for another developer
User/Group Auto Add when joining Domain
How do I edit “PersonalTitle” field in Active DirectoryWhat happens to local user accounts when a computer joins a domain?Set default domain user groups on user/computer creationUser in domain admin group cannot access directory the group has permission to accessHow to allow active directory users to remote desktop in?Run a Logon Script for User Group for Domain ServerAD group owner cannot add new usersJoining workstations to the domain as a member of Protected Users group (Delegation vs User Rights)Active Directory & Group Policy - Standard User PermissionsActive Directory - Prevent default user permission to sign onto all Domain Computers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've been in the process of joining our ESXi hosts to the AD domain and have noticed that the group "ESX_Admin" is automatically being added to Permissions on the ESXi hosts.
I have found the ESX_Admin in the Active Directory Users and Computers but am not seeing a policy to automatically add it to ESXi hosts upon joining.
Can anyone point me in the right direction? Thanks.
active-directory vmware-esxi domain-controller vmware-vsphere
asked Jun 4 at 20:14
cycloxrcycloxr
82
add a comment |
I've been in the process of joining our ESXi hosts to the AD domain and have noticed that the group "ESX_Admin" is automatically being added to Permissions on the ESXi hosts.
I have found the ESX_Admin in the Active Directory Users and Computers but am not seeing a policy to automatically add it to ESXi hosts upon joining.
Can anyone point me in the right direction? Thanks.
active-directory vmware-esxi domain-controller vmware-vsphere
asked Jun 4 at 20:14
cycloxrcycloxr
82
add a comment |
I've been in the process of joining our ESXi hosts to the AD domain and have noticed that the group "ESX_Admin" is automatically being added to Permissions on the ESXi hosts.
I have found the ESX_Admin in the Active Directory Users and Computers but am not seeing a policy to automatically add it to ESXi hosts upon joining.
Can anyone point me in the right direction? Thanks.
active-directory vmware-esxi domain-controller vmware-vsphere
asked Jun 4 at 20:14
cycloxrcycloxr
82
I've been in the process of joining our ESXi hosts to the AD domain and have noticed that the group "ESX_Admin" is automatically being added to Permissions on the ESXi hosts.
I have found the ESX_Admin in the Active Directory Users and Computers but am not seeing a policy to automatically add it to ESXi hosts upon joining.
Can anyone point me in the right direction? Thanks.
active-directory vmware-esxi domain-controller vmware-vsphere
active-directory vmware-esxi domain-controller vmware-vsphere
asked Jun 4 at 20:14
cycloxrcycloxr
82
asked Jun 4 at 20:14
cycloxrcycloxr
82
asked Jun 4 at 20:14
cycloxrcycloxr
82
asked Jun 4 at 20:14
cycloxrcycloxr
82
asked Jun 4 at 20:14
cycloxrcycloxr
82
82
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
While its an older post, it has been updated with current release information. Details related to the group and the manner of its use can be found here https://kb.vmware.com/s/article/1025569
Selected information (emphasis mine):
By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable.
The KB does contain some suggestions as to how to cope with this behavior if it is undesireable (my own suggestion follows), though the KB is mainly geared to the syslog entries generated if the group is not present in AD, the information included should prove sufficient to your needs.
If you're looking to change the default group that is queried, that process can be found here: https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247, some selected highlights:
PowerCLI:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "<anything but ESX_Admins>"
GUI:
Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".
In any event, this is a "feature" of ESX (vSphere Hypervisor), not Active Directory, and it goes back to at least 4.0. Now, because it is a well known group (at least I believe it to be considered such), I prefer to keep it empty, its membership audited and tripwired, and permission on its members attribute locked down. Instead, I use a custom group to confer administrative access to the hosts.
Frankly, one of the first things I do is to join it to the domain, and altering the default behavior every time I re-image or remediate the host seems a little sisyphean to me and a waste of time. This is why I prefer to accept the default behavior and secure the group in Active Directory. In theory, this only takes a single change (and as pointed out in the KB, does consume the least administrative effort). Though, be warned that this practice may be an no-no for any security-minded auditors (as pointed out in the second article I linked), but in the end I feel its a better process and easily justifiable to any auditors.
answered Jun 4 at 21:51
SemicolonSemicolon
80546
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970131%2fuser-group-auto-add-when-joining-domain%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
While its an older post, it has been updated with current release information. Details related to the group and the manner of its use can be found here https://kb.vmware.com/s/article/1025569
Selected information (emphasis mine):
By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable.
The KB does contain some suggestions as to how to cope with this behavior if it is undesireable (my own suggestion follows), though the KB is mainly geared to the syslog entries generated if the group is not present in AD, the information included should prove sufficient to your needs.
If you're looking to change the default group that is queried, that process can be found here: https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247, some selected highlights:
PowerCLI:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "<anything but ESX_Admins>"
GUI:
Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".
In any event, this is a "feature" of ESX (vSphere Hypervisor), not Active Directory, and it goes back to at least 4.0. Now, because it is a well known group (at least I believe it to be considered such), I prefer to keep it empty, its membership audited and tripwired, and permission on its members attribute locked down. Instead, I use a custom group to confer administrative access to the hosts.
Frankly, one of the first things I do is to join it to the domain, and altering the default behavior every time I re-image or remediate the host seems a little sisyphean to me and a waste of time. This is why I prefer to accept the default behavior and secure the group in Active Directory. In theory, this only takes a single change (and as pointed out in the KB, does consume the least administrative effort). Though, be warned that this practice may be an no-no for any security-minded auditors (as pointed out in the second article I linked), but in the end I feel its a better process and easily justifiable to any auditors.
answered Jun 4 at 21:51
SemicolonSemicolon
80546
add a comment |
While its an older post, it has been updated with current release information. Details related to the group and the manner of its use can be found here https://kb.vmware.com/s/article/1025569
Selected information (emphasis mine):
By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable.
The KB does contain some suggestions as to how to cope with this behavior if it is undesireable (my own suggestion follows), though the KB is mainly geared to the syslog entries generated if the group is not present in AD, the information included should prove sufficient to your needs.
If you're looking to change the default group that is queried, that process can be found here: https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247, some selected highlights:
PowerCLI:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "<anything but ESX_Admins>"
GUI:
Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".
In any event, this is a "feature" of ESX (vSphere Hypervisor), not Active Directory, and it goes back to at least 4.0. Now, because it is a well known group (at least I believe it to be considered such), I prefer to keep it empty, its membership audited and tripwired, and permission on its members attribute locked down. Instead, I use a custom group to confer administrative access to the hosts.
Frankly, one of the first things I do is to join it to the domain, and altering the default behavior every time I re-image or remediate the host seems a little sisyphean to me and a waste of time. This is why I prefer to accept the default behavior and secure the group in Active Directory. In theory, this only takes a single change (and as pointed out in the KB, does consume the least administrative effort). Though, be warned that this practice may be an no-no for any security-minded auditors (as pointed out in the second article I linked), but in the end I feel its a better process and easily justifiable to any auditors.
answered Jun 4 at 21:51
SemicolonSemicolon
80546
add a comment |
While its an older post, it has been updated with current release information. Details related to the group and the manner of its use can be found here https://kb.vmware.com/s/article/1025569
Selected information (emphasis mine):
By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable.
The KB does contain some suggestions as to how to cope with this behavior if it is undesireable (my own suggestion follows), though the KB is mainly geared to the syslog entries generated if the group is not present in AD, the information included should prove sufficient to your needs.
If you're looking to change the default group that is queried, that process can be found here: https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247, some selected highlights:
PowerCLI:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "<anything but ESX_Admins>"
GUI:
Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".
In any event, this is a "feature" of ESX (vSphere Hypervisor), not Active Directory, and it goes back to at least 4.0. Now, because it is a well known group (at least I believe it to be considered such), I prefer to keep it empty, its membership audited and tripwired, and permission on its members attribute locked down. Instead, I use a custom group to confer administrative access to the hosts.
Frankly, one of the first things I do is to join it to the domain, and altering the default behavior every time I re-image or remediate the host seems a little sisyphean to me and a waste of time. This is why I prefer to accept the default behavior and secure the group in Active Directory. In theory, this only takes a single change (and as pointed out in the KB, does consume the least administrative effort). Though, be warned that this practice may be an no-no for any security-minded auditors (as pointed out in the second article I linked), but in the end I feel its a better process and easily justifiable to any auditors.
answered Jun 4 at 21:51
SemicolonSemicolon
80546
While its an older post, it has been updated with current release information. Details related to the group and the manner of its use can be found here https://kb.vmware.com/s/article/1025569
Selected information (emphasis mine):
By default, an ESX/ESXi 4.1 and ESXi 5.x/6.x host joined to an AD domain queries the domain for the ESX Admins group and this behavior is not configurable.
The KB does contain some suggestions as to how to cope with this behavior if it is undesireable (my own suggestion follows), though the KB is mainly geared to the syslog entries generated if the group is not present in AD, the information included should prove sufficient to your needs.
If you're looking to change the default group that is queried, that process can be found here: https://www.stigviewer.com/stig/vmware_vsphere_esxi_6.0/2016-06-07/finding/V-63247, some selected highlights:
PowerCLI:
Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "<anything but ESX_Admins>"
GUI:
Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins".
In any event, this is a "feature" of ESX (vSphere Hypervisor), not Active Directory, and it goes back to at least 4.0. Now, because it is a well known group (at least I believe it to be considered such), I prefer to keep it empty, its membership audited and tripwired, and permission on its members attribute locked down. Instead, I use a custom group to confer administrative access to the hosts.
Frankly, one of the first things I do is to join it to the domain, and altering the default behavior every time I re-image or remediate the host seems a little sisyphean to me and a waste of time. This is why I prefer to accept the default behavior and secure the group in Active Directory. In theory, this only takes a single change (and as pointed out in the KB, does consume the least administrative effort). Though, be warned that this practice may be an no-no for any security-minded auditors (as pointed out in the second article I linked), but in the end I feel its a better process and easily justifiable to any auditors.
answered Jun 4 at 21:51
SemicolonSemicolon
80546
edited Jun 4 at 21:56
answered Jun 4 at 21:51
SemicolonSemicolon
80546
answered Jun 4 at 21:51
SemicolonSemicolon
80546
answered Jun 4 at 21:51
SemicolonSemicolon
80546
80546
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970131%2fuser-group-auto-add-when-joining-domain%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
