Active Directory, InfoSec, VMware, Windows Administration

vSphere 6.5 and “Protected Users” group in Active Directory (2012R2)

August 4, 2018

In an attempt to start locking down accounts and providing a more secure environment we were trialing the use of the “Protected Users” group as a feature of Server 2012R2 in Active Directory.

After adding our privileged accounts to this group we could no longer authenticate with vCenter.

We are still investigating but we believe the issue is that we lost our secure connection with AD after the 6.5 upgrade.  VMware has published a KB article about this.  https://kb.vmware.com/s/article/2149697

A workaround that is listed (number three) is to go down to one Domain Controller and I will update this article when we figure out whether that fixed the issue.

More to come….

You Might Also Like

2 Comments

  • Reply Michael Judge November 22, 2018 at 6:13 am

    Hi, We are also having the same problems and would really like to utilise Protected Users. Just wondering, did you manage to get this working?

    • Reply parquette July 30, 2019 at 8:44 pm

      I did not, sorry I’ve been neglecting the blog. We ended up creating new vAdmin user accounts for all VMware administration so AD could remain locked down. Not ideal but it’s working for us.

    Leave a Reply