I just did a migration of a vCenter 6.0 on a Windows Server to a vCenter Appliance 6.7 Update 1.
But after the migration/upgrade the customer needed to remove som permissions from the vCenter, but it failed.
The permission with the problem used this syntax: child.domain.local\username
When changing the user: child.domain.local\username role to “No access” i just added a new permission line with the user child\username and role “No access”, and the new permission can be removed without no problem.
So the problem is the permissions that is using the syntax: child.domain.local\<xxxxx> can not be removed and the one with the syntax: child\<xxxxx> can be removed. Note that both syntax’s work for login and permissions.
We have to fix this in the vCenter database.
This fix might not be supported by VMware support, so only use at your own risk.
Shutdown the vCenter and take a snapshot.
Boot the vCenter.
After booting the vCenter connect to the vCSA appliance using SSH, or on the console.
Stop the vCenter server service
service-control --stop vmware-vpxd
Connect to the vPostgres database, get the content of the vpx_access table, update the vpx_access table and afterward get the changed content of the vpx_access table.
from the vCenter Server shell:
/opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
select * from vpx_access; update vpx_access set principal = replace(principal,'child.domain.local','child'); select * from vpx_access; \q
Reboot the vcenter.
Check that it works.