2V0-622 · Question #222
In which two vsphere.local groups should an administrator avoid adding members? (Choose two.)
The correct answer is A. SolutionUsers B. Administrators. Certain vsphere.local groups are reserved for internal vSphere system use and should not have members manually added to avoid disrupting authentication and privileged access.
Question
In which two vsphere.local groups should an administrator avoid adding members? (Choose two.)
Options
- ASolutionUsers
- BAdministrators
- CDCAdmins
- DExternalPDUsers
How the community answered
(25 responses)- A88% (22)
- C4% (1)
- D8% (2)
Why each option
Certain vsphere.local groups are reserved for internal vSphere system use and should not have members manually added to avoid disrupting authentication and privileged access.
SolutionUsers is reserved exclusively for internal vSphere solution accounts such as vCenter Server and the vSphere Web Client service. Adding regular user accounts to this group can break internal component-to-component authentication within the SSO domain.
The vsphere.local Administrators group grants unrestricted administrative control over the vCenter Single Sign-On domain and all registered solutions. VMware explicitly recommends against adding members here to prevent unintended privilege escalation across the entire vSphere environment.
DCAdmins is not flagged by VMware as a group to avoid populating; it does not carry the same internal system-reservation risk as SolutionUsers or Administrators.
ExternalPDUsers holds accounts synchronized from external identity providers and does not have the same internal-use restrictions that make SolutionUsers and Administrators groups dangerous to modify.
Concept tested: vsphere.local SSO group membership restrictions
Source: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-CDEA6F32-7581-4615-8572-E0B44C11D80D.html
Topics
Community Discussion
No community discussion yet for this question.