Recently while working with a customer, we had a single host that was completely read-only for their domain login.
Symptoms were buttons and controls they normally had access to (everything to do with editing) was grayed out.
(Most screenshots of vcenter will be from the web client from here on out, because like it or not, it is going to be the only choice soon)
Since all permissions were supposed to be set at the top level of vcenter, and was set to a group, this was puzzling. A quick look at that hosts permissions tab, and we find our culprit.
So after some googling I found the explanation here
So the core the issue is a read-only permissions setting overrides an administrator setting for the object. If you set it at the top level you can even totally lockout all administrators from vcenter in one go (depending on how you setup permissions to begin with).
The article is accurate in how to correct the situation, but since a lot of admins I run across are nervous around SQL, I thought a walk-through video might be helpful.
In essence, to fix the issue you just need to update a single table in the vcenter database dbo.VPX_Access. However being a good administrator, you are going to want to backup your database first before editing directly 🙂
Below is a short video walking through editing the table and restoring your access.