Cloud & Virtualisation

Best practices for managing user accounts in VMware vSphere

In another of Bryan O'Connor's technical VMware blogs, he details the do's and don'ts of adding user accounts in vSphere.

If your organisation is using VMware and you need to add various user accounts to vSphere, follow these steps to ensure you follow best practice.

One of the recommendations for managing vSphere is to add your ESXi hosts to Active Directory and authentication to the client by using an AD account.

VMware gives us some best practices for managing user accounts.

On an ESXi host, the root user account is the most powerful user account on the system. The user root can access all files and all commands. Securing this account is the most important step that you can take to secure an ESXi host.

Whenever possible, use the vSphere Client to log in to the vCenter Server system and manage your ESXi hosts. In some unusual circumstances, for example when the vCenter Server system is down, you use VMware Host Client to connect directly to the ESXi host.

Although you can log in to your ESXi host through the vSphere CLI or through vSphere ESXi Shell, these access methods should be reserved for troubleshooting or configuration that cannot be accomplished by using VMware Host Client.

If a host must be managed directly, avoid creating local users on the host. If possible, join the host to a Windows domain and log in with domain credentials instead.

To add an ESXi host to Active Directory, authenticate to your ESXi host via the host client and highlight Manage, select the Security& Users tab, then select Authentication, and then select Join Domain and fill in relevant information for your domain.

VMware: adding ESXi host to Active Directory

When we add the ESXi hosts to Active Directory, by default anyone who is a member of the AD group ESX Admins automatically have root privileges on ESXi hosts.

If we split AD and VMware into different IT departments, this could mean that our AD administrators could also manage our ESXi hosts by creating a group called ESX Admins and adding themselves to that group.

However, we can modify this functionality. We achieve this through the advanced configuration on an ESXi host:

Login to the vSphere Host Client and once authenticated, go to your ESXi host and highlight Manage, select Advanced settings and then search for admins.

VMware: Advanced configuration on ESXi host

You’ll be presented with three options and they are:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup

This option specifies the Active Directory group name that is automatically granted Administrator privileges on the ESXi host.

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd

This option controls whether the group specified by esxAdminsGroup is automatically granted administrator permission; values are True or False.

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval

This option specifies the interval between checks for whether the group specified by esxAdminsGroup has appeared in Active Directory; value is in minutes.

Now you've set up your organisation's users in a simple, secure way. For more technical tips and VMware blogs, or to see our large array of official VMware courses, click below.

Related Articles