I'm trying to add a group to have permissions on a VM:
> Get-VM VMName | New-VIPermission -Role (Get-VIRole -Name "RoleName") -Principal "DOMAIN\GroupName"
However, this fails with a "Could not find VIAccount with name 'DOMAIN\GroupName'"
So I started trying to get the VIAccount object:
> Get-VIAccount -Domain "DOMAIN" -Group -Id "GroupName"
But this fails with 'ViAccount with id 'GroupName' was not found using the specified filter(s).'
So I decided to open things up a bit and see if I could find it in the list myself:
> $groups = Get-VIAccount -Domain "DOMAIN" -Group> $groups.Count
8500
Odd... this is only a portion of all groups. And looking at the members, it appears to pull them back in alphabetical order and stops well short of my groupname. Wonder if those groups early in the alphabet work ok?
So I test my theory by specifying a group I create that starts with "AAA_...":
> Get-VM VMName | New-VIPermission -Role (Get-VIRole -Name "RoleName") -Principal "DOMAIN\AAA_GroupName"
Success!
So it seems to me that the algorithm for New-VIPermission/Get-VIAccount, instead of working against the entire domain, just grabs some arbitrarily large number of groups/users, based on alphabetical order, and then searches for the specified name/id within that subset. For large domains, this means that groups/users toward the latter half of the alphabet may not be included in the search set and result in "not found" errors, even though that group/user does, in fact, exist within the domain.
Does this make sense? Has this already been discovered by others and I'm just figuring it out myself?
Is there a workaround to deal with group names (who I, as a VAdmin do not have control over) that may have names starting toward the later half of the alphabet?
Thank you.