One of the recommendations for managing vSphere is to add your ESXi hosts to Active Directory and authentication to the client by using an AD account.
VMware give us some best practices for managing user
accounts
On an ESXi host, the root user account is the most powerful
user account on the system. The user root can access all files and all
commands. Securing this account is the most important step that you can take to
secure an ESXi host.
Whenever possible, use the vSphere Client to log in to the
vCenter Server system and manage your ESXi hosts. In some unusual
circumstances, for example, when the vCenter Server system is down, you use
VMware Host Client to connect directly to the ESXi host.
Although you can log in to your ESXi host through the vSphere CLI or through
vSphere ESXi Shell, these access methods should be reserved for troubleshooting
or configuration that cannot be accomplished by using VMware Host Client.
If a host must be managed directly, avoid creating local users on the host. If
possible, join the host to a Windows domain and log in with domain credentials
instead.
To add an ESXi host to Active Directory, authenticate to your
ESXi host via the host client and highlight Manage, select the Security&
Users tab, then select Authentication, and then select Join Domain
and fill in relevant information for your domain.
When we add the ESXi hosts to Active Directory, by default
anyone who is a member of the AD group ESX Admins automatically have root
privileges on ESXi hosts.
If we split AD and VMware into different IT departments,
this could mean that our AD administrators could also manage our ESXi hosts by
creating a group called ESX Admins and adding themselves to that group.
However, we can modify this functionality. We achieve this
through the advanced configuration on an ESXi host
Login to the vSphere Host Client, once authenticated go to
your ESXi host and highlight Manage, select Advanced settings and
then search for admins
You’ll be presented with three options and they are:
Config.HostAgent.plugins.hostsvc.esxAdminsGroup This option specifies the Active
Directory group name that is automatically granted Administrator privileges on
the ESXi host.
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd This option controls whether the group
specified by “esxAdminsGroup” is automatically granted administrator permission,
values are True or False
Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval This option specifies the interval
between checks for whether the group specified by “esxAdminsGroup’ has appeared
in Active Directory, value is in minutes.
