By default, vCenter Server grants full administrator privileges to the administrator of the local system, which can be accessed by domain administrators. To minimize risk of this privilege being abused, remove administrative rights from the local operating system's administrator account and assign these rights to a special-purpose local vSphere administrator account. Use the local vSphere account to create individual user accounts.
Grant the Administrator privilege only to administrators who are required to have it. Do not grant the privilege to any group whose membership is not strictly controlled.
- Create a user account that you will use to manage vCenter Server (for example, vi-admin).
Ensure that the user does not belong to any local groups, such as the Administrators group.
- Log into the vCenter Server system as the local operating system administrator and grant the role of global vCenter Server administrator to the user account you created (for example, vi-admin).
- Log out of vCenter Server and log in with the user account you created (vi-admin).
- Verify that the user can perform all tasks available to a vCenter Server administrator.
- Remove the administrator privileges that are assigned to the local operating system administrator user or group.