In normal implementation, it is always a best practice to provide permission per group, rather than per individual ID. Simple reason is, it is easy to administer and manage. Therefore, it was what I did in one of my vCenter implementation, but I could not make it work. It just did not allow me to login using my Domain ID (which configured as part of Local Administrators members in vCenter server), although local ID (part of Local Administrators members as well) worked as expected. Issues : Error while connecting to vCenter Server using VMware vSphere Client. Error is : Error Connecting The vSphere Client could not connect to "vCenter Server Name" You do not have permission to login to the server : "vCenter Server Name" Troubleshooting Assigned appropriate domain ID (MyDomain\DomainAdminID) to a Domain Group (MyDomain\Domain Admins) Assigned that Domain Group to Local Administrators in vCenter server (Double kill!) Assign