Deep Intro to VMware, Part 9: Protect Your Virtual Disks From Deletion

Virtual machines consist of virtual disks that can be stored on your storage were ESX can start them and use them. Because the Virtual disks are very important we need to assert protection from unwanted or accidental deletion. Because of the fact that a VMFS partition has no means of setting permissions, we need to do this through the VMware Vsphere client.

This document explains the steps to protect the Virtual Disks from unplanned deletion.

Create the Windows account

To protect the repository we need to create a Windows account that gives you the ability to manage the disk if necessary.

• Start the Microsoft management console and go to users and computers

  

• Select new and then User

  

• Fill in the requested information.

  

• Make sure you remember the password and set the checkmarks as shown in the picture above.
• Click next and then finish. The account is now created. There is no need to give the account other permissions, as you only need it in the event that you have to delete master machines on a particular disk.

Give the account the necessary permissions

Start the Vsphere client logon as full administrator and go to the host.

• Right click and add permissions.

  

• Select add to start the process

  

• Select your domain where you created the account

  

• Look up the created account and double click on it to add it to the users
• Click OK.
• You now see the account has been added

  

• Give the account administrator permissions
• Make sure the checkmark Propagate to Child Objects is selected
• Click OK to confirm
• Select View

  

• Go to inventory
• Click on Data Stores to open your Data Store view
• Now you see that the settings are propagated to all objects. Vstorm-admin has full admin permissions on the storage.

  

• Make sure that all other users will have Read-Only permissions.

NOTE: If you set the administrator permissions on this disk to read-only you will get a warning that the permissions are propagated from the top level.

Click OK to confirm.

Now the only user to delete the image or other machines on that repository is the Vstorm-admin.

If you now delete one or more virtual machines that have a connection to a Virtual disk the virtual machine will be deleted. The Virtual Disk will remain. This protects your Virtual Disks and other machines that reside on that disk from deletion.

Make sure you understand that if you open a virtual machine with a connection to the particular disk that you ARE STILL ABLE to ADD applications or other data to that repository. It protects the disk from writing and deleting, but NOT the content of that disk. In normal operations of your image you will not have the need to use the Vstorm-admin account.

This complete guide also enables you to do the same on datastores, hosts, resourcepools etc.

If you have an ESX server and you need to give an administrator full control on only a resourcepool and you do not want him to manage the whole ESX server because you want to protect your other clients, then give him no permissions on top level but administrator permissions on the resourcepool you want him to manage. This enables you to share a ESX server between several users without giving them the ability to do tasks on the other virtual machines or even disable them form seeing the other machines. The administrator will think he has root level access, but in fact he does not have this.

In the case you want to use this, make sure every admin that has privileges to a specific resourcepool also has privileges to a specific hard disk for storage.