Create a non-root user account for local admin access.

By default each ESXi host has a single root user account with full administrator privileges that can be used for local administration and to connect the host to vCenter Server. Sharing a common root account can make it easier to break into an ESXi host.

Create at least one named user account and assign it full administrative privileges and use this account instead of the root account. Set a highly complex password for the root account and limit the use of the root account. (Do not remove the root user itself.)


If you remove the access permissions for the root user, you must first create another permission at the root level that has a different user assigned to the Administrator role.


In vSphere 5.1 and later, only the root user and no other user with administrator privileges is permitted to add a host to vCenter Server.

Assigning the Administrator role to a different user helps you maintain security through traceability. The vSphere Client logs all actions that the Administrator role user initiates as events, providing you with an audit trail. If all administrators log in as the root user, you cannot tell which administrator performed an action. If you create multiple permissions at the root level—each associated with a different user—you can track the actions of each administrator.