When you’re locked out of your vCenter Server because someone has assigned the “Read-Only” role to the “Domain Users” group and has set the permissions at the highest level, you’re in deep trouble. You can log on to vCenter but can’t change anything because your Administrator account is also a “Domain User”. There are several ways to fix this problem. First of all never use default Windows groups to create VC roles. Second there’s an easy way and a hard way.
The easy way is to shutdown VC and disable authorization checks by adding:
<security>
<enabled>false</enabled>
</security>
within the <config> tags of vpxd.cfg. Start VC and remove the permission, then shut it down and turn security back on again by removing these tags.
The hard way is to open the VC SQL database and open the table : VPX_ACCESS, then add another row :
ID: 1
Principal : Administrators
Role_ID : -1
ENTITY_ID : 1
FLAG : 3
Afterwards you need to restart the vCenter Server services. Credits to Koen Warson and Phil Cohen.