If your organisation is using VMware and you need to add various user accounts to vSphere, follow these steps to ensure you follow best practice.
One of the recommendations for managing vSphere is to add your ESXi hosts to Active Directory and authentication to the client by using an AD account.
VMware gives us some best practices for managing user accounts.
On an ESXi host, the root user account is the most powerful user account on the system. The user root can access all files and all commands. Securing this account is the most important step that you can take to secure an ESXi host.
Whenever possible, use the vSphere Client to log in to the vCenter Server system and manage your ESXi hosts. In some unusual circumstances, for example when the vCenter Server system is down, you use VMware Host Client to connect directly to the ESXi host.
Although you can log in to your ESXi host through the vSphere CLI or through vSphere ESXi Shell, these access methods should be reserved for troubleshooting or configuration that cannot be accomplished by using VMware Host Client.
If a host must be managed directly, avoid creating local users on the host. If possible, join the host to a Windows domain and log in with domain credentials instead.
To add an ESXi host to Active Directory, authenticate to your ESXi host via the host client and highlight Manage, select the Security& Users tab, then select Authentication, and then select Join Domain and fill in relevant information for your domain.
When we add the ESXi hosts to Active Directory, by default anyone who is a member of the AD group ESX Admins automatically have root privileges on ESXi hosts.
If we split AD and VMware into different IT departments, this could mean that our AD administrators could also manage our ESXi hosts by creating a group called ESX Admins and adding themselves to that group.
However, we can modify this functionality. We achieve this through the advanced configuration on an ESXi host:
Login to the vSphere Host Client and once authenticated, go to your ESXi host and highlight Manage, select Advanced settings and then search for admins.
You’ll be presented with three options and they are:
This option specifies the Active Directory group name that is automatically granted Administrator privileges on the ESXi host.
This option controls whether the group specified by esxAdminsGroup is automatically granted administrator permission; values are True or False.
This option specifies the interval between checks for whether the group specified by esxAdminsGroup has appeared in Active Directory; value is in minutes.
Now you've set up your organisation's users in a simple, secure way. For more technical tips and VMware blogs, or to see our large array of official VMware courses, click below.
Bryan O'ConnorBryan has been working at QA as one of the principal virtualisation trainers for 13 years and counting, specialising in VMware, but also working with Microsoft Hyper-V, and multiple Cloud technologies.
More articles by Bryan
The 3 steps to becoming a VCP-DCV 2023
With the advent of VMware vSphere 8, VMware has released a new exam to demonstrate your skills with the product.07 June 2023
Going Swiss: How VMware training can streamline your multi-cloud systems
Why organisations that want to maximise the ROI of their multi-cloud approach should be considering VMware training.16 May 2023
The benefits and challenges of a multi-cloud approach in 2023
Why multi-cloud in 2023? Bryan O'Connor returns to the subject to outline some of the opportunities, challenges and solutions…11 May 2023
How to limit the number of VMware VM snapshots
In this technical blog, vExpert Bryan O'Connor explains why, and how, to limit the number of VMware snapshots for a virtual m…21 June 2021
What is virtualisation?
Bryan O'Connor explains what a virtual machine is and what the benefits of virtualisation are for any organisation.14 May 2021
Basic virtualisation terminology
What is a hypervisor? What is vSphere vMotion? What is HA? Bryan O'Connor, our vExpert, decodes commonly used virtualisation…18 June 2021
What is the benefit of getting VMware certification?
All about the VMware Data Center Virtualization Certification 2021 update
QA's VMware vExpert Bryan O'Connor looks at the 2021 VMware Data Center Virtualization certifications.02 February 2021
VCTA: The new introduction certification from VMware
Bryan O'Connor introduces the new entry-level VMware certification, Certified Technical Associate (VCTA).27 November 2020
Which VMware certifications and tracks are right for me?
Bryan O'Connor explains the different VMware certification levels and tracks available in 2020.27 November 2020