When you join a host to an Active Directory domain, you must define roles on the host for a user or group in that domain. Otherwise, the host is not accessible to Active Directory users or groups. You can use host profiles to set a required role for a user or group and to apply the change to one or more hosts.

You must have an existing host profile. See Creating a Host Profile.

Verify that the hosts to which you apply a profile are in maintenance mode.


Using the vSphere Client, select View > Management > Host Profiles.


Right-click an existing host profile and select Edit Profile.


Expand the profile tree, and then expand Security configuration.


Right-click the Permission rules folder and select Add Profile.


Expand Permission rules and select Permission.


On the Configuration Details tab in the right pane, click the Configure a permission drop-down menu and select Require a Permission Rule.


Enter the name of a user and group.

Use the format DOMAIN\name, where DOMAIN is the name of the Active Directory domain and name is the user name or group name.


(Optional) If the name you entered is a group (not a single user), select the Name refers to a group of users check box.


Enter the assigned role name for the user or group (usually Admin).

The role name is case-sensitive. If this is a system role, you must use the nonlocalized role name. For example, for the Administrator role, enter Admin. For the Read-only role, enter ReadOnly.


Select the Propagate permission check box and click OK.


Attach the profile to the hosts as described in Attach Entities from the Host.


Apply the profile to the hosts as described in Apply a Profile from the Host.