To manage administrative access to NSX after configuring NSX Manager with Active Directory as an idenity source, you assign the NSX roles to Active Directory security groups.

You assign access to Active Directory security groups for the following roles in NSX Manager:

  • Enterprise Admin

  • Network Admin

  • Auditor


For an environment with NSX Federation, you must use the component's user interface to assign NSX roles for NSX Global Manager in Active Directory. The PowerShell module does not support configuring the authentication services for an NSX Global Manager instance.

UI Procedure

  1. Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
  2. On the main navigation bar, click System.
  3. In the left pane, click Users management.

  4. Click the Users role assignment tab.

  5. From the Add Role for Providers drop-down menu, select LDAP, select the group and the role you want to assign, and click Save.

  6. Repeat Step 5 for each role you want to assign.

  7. Repeat the procedure for all NSX Local Managers in each workload domain.

  8. Repeat the procedure for the NSX Global Manager of the management domain and each workload domain.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = ""
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    $sddcDomainName = "sfo-m01"
    $nsxEnterpriseAdminGroup = ""
    $nsxNetworkAdminsGroup = ""
    $nsxAuditorGroup = ""
  3. Perform the configuration by running the command in the PowerShell console.

    Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxEnterpriseAdminGroup -role enterprise_admin
    Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxNetworkAdminsGroup -role network_engineer
    Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxAuditorGroup -role auditor
  4. Repeat the procedure for each NSX Local Manager in each workload domain.

  5. Repeat the procedure for the NSX Global Managers of the management domain and each workload domain.