A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

  • The password never expires.

  • The user cannot change the password.

  • The account must have the right to join computers to the Active Directory domain. 

Service Accounts in This VMware Validated Design

This validated design introduces a set service accounts that are used in a one- or bi-directional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Table 1. Application-to-Application or Application Service Accounts in the VMware Validated Design





Required Role


NSX for vSphere Manager

vCenter Server

Service account for registering NSX Manager with vCenter Single Sign-on on the Platform Services Controller and vCenter Server for the management cluster and for the compute and edge clusters



vRealize Log Insight

vCenter Server

Service account for using the Active Directory as an authentication source in vRealize Log Insight and for connecting vRealize Log Insight to vCenter Server and ESXi in order to forwarding log information

Log Insight User (vCenter Server)

Users in the Child Domains

Create the following accounts for user access in each of the child Active Directory domain, sfo01.rainpole.local and lax01.rainpole.local, to provide centralized user access to the SDDC. In the Active Directory, you do not assign any special rights to these accounts other than the default ones.

Table 2. User Accounts in the sfo01.rainpole.local and lax01.rainpole.local Child Domains

User Name


Service Account

Member of Groups


Global administrative account across the SDDC.