This post describes an error that occurred during System Center Virtual Machine Manager 2012 SP1 deployment, with two VMM servers in cluster configuration.
When using the VMM Console, some users (but not all users) were unable to create VMs, even if the user account is a member of the Delegated Administrator role. In this case, when the user selects “Create a new VM”, the following error message is displayed when “Next” is clicked on the “Configure Hardware” page:
ID 26726: “Either the specified user role or the specified user (%Username) is not valid. User is not a member of the role. Add (%Username) as a member of the user role and try again or provide a different user role or a different user.”
The same error persists even if the user accounts become VMM Administrators.
This error originates from a known issue (http://support.microsoft.com/kb/331951) where the VMM service does not have access to authorization information on user account objects or computer account objects. Specifically, the VMM service cannot read the token-groups-global-and-universal (TGGAU) attribute in AD.
This issue is resolved by adding the VMM Service account to the Windows Authorization Access (Pre-Windows 2000 Compatible Access) group in AD.
In conclusion, if some users are unable to create VMs through the VMM Console due to Error ID 26726, the VMM service is probably unable to verify whether those users are authorized to create VMs, and adding the VMM service to the Pre-Windows 2000 Compatible Access group resolves the issue.