Friday, 18 June 2021

Managing User Accounts VMware vSphere: Best Practices


One of the recommendations for managing vSphere is to add your ESXi hosts to Active Directory and authentication to the client by using an AD account.

VMware give us some best practices for managing user accounts

On an ESXi host, the root user account is the most powerful user account on the system. The user root can access all files and all commands. Securing this account is the most important step that you can take to secure an ESXi host.

Whenever possible, use the vSphere Client to log in to the vCenter Server system and manage your ESXi hosts. In some unusual circumstances, for example, when the vCenter Server system is down, you use VMware Host Client to connect directly to the ESXi host.

Although you can log in to your ESXi host through the vSphere CLI or through vSphere ESXi Shell, these access methods should be reserved for troubleshooting or configuration that cannot be accomplished by using VMware Host Client.

If a host must be managed directly, avoid creating local users on the host. If possible, join the host to a Windows domain and log in with domain credentials instead.

To add an ESXi host to Active Directory, authenticate to your ESXi host via the host client and highlight Manage, select the Security& Users tab, then select Authentication, and then select Join Domain and fill in relevant information for your domain.


When we add the ESXi hosts to Active Directory, by default anyone who is a member of the AD group ESX Admins automatically have root privileges on ESXi hosts.

If we split AD and VMware into different IT departments, this could mean that our AD administrators could also manage our ESXi hosts by creating a group called ESX Admins and adding themselves to that group.

However, we can modify this functionality. We achieve this through the advanced configuration on an ESXi host

Login to the vSphere Host Client, once authenticated go to your ESXi host and highlight Manage, select Advanced settings and then search for admins

You’ll be presented with three options and they are:

Config.HostAgent.plugins.hostsvc.esxAdminsGroup       This option specifies the Active Directory group name that is automatically granted Administrator privileges on the ESXi host.

Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd     This option controls whether the group specified by “esxAdminsGroup” is automatically granted administrator permission, values are True or False

Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval        This option specifies the interval between checks for whether the group specified by “esxAdminsGroup’ has appeared in Active Directory, value is in minutes.