Use best practices for managing groups to increase the security and manageability of your vSphere environment.

VMware recommends several best practices for creating groups in your vSphere environment:

Use a directory service or vCenter Server to centralize access control, rather than defining groups on individual hosts.

Choose a local Windows user or group to have the Administrator role in vCenter Server.

Create new groups for vCenter Server users. Avoid using Windows built-in groups or other existing groups.

If you use Active Directory groups, make sure that they are security groups and not distribution groups. Permissions assigned to distribution groups are not enforced by vCenter Server. For more information about security groups and distribution groups, see the Microsoft Active Directory documentation.


By default, some versions of the Windows operating system include the NT AUTHORITY\INTERACTIVE user in the Administrators group. When the NT AUTHORITY\INTERACTIVE user is in the Administrators group, all users you create on the vCenter Server system have the Administrator privilege. To avoid this, remove the NT AUTHORITY\INTERACTIVE user from the Administrators group on the Windows system where you run vCenter Server.