Enabling lockdown mode affects which users are authorized to access host services.

Users Logged in When Lockdown Mode Is Enabled

Users who were logged in to the ESXi Shell before lockdown mode was enabled remain logged in and can run commands. However, these users cannot disable lockdown mode. No other users, including the root user and users with the Administrator role on the host, can use the ESXi Shell to log in to a host that is in lockdown mode.

Access Through vCenter Server

Users with administrator privileges on the vCenter Server system can use the vSphere Web Client to disable lockdown mode for hosts that are managed by the vCenter Server system.

Access From the DCUI

Users granted the DCUI Access privilege can always log directly in to the host using the Direct Console User Interface (DCUI) to disable lockdown mode, even if the user does not have the Administrator role on the host. You must use Advanced Settings to grant the DCUI Access privilege.

Note:

When you disable lockdown mode using the DCUI, all users with the DCUI Access privilege are granted the Administrator role on the host.

Root users or users with the Administrator role on the host cannot log directly in to the host with the DCUI if they have not been granted the DCUI Access privilege. If the host is not managed by vCenter Server or if the host is unreachable, only DCUI Access users can log into the DCUI and disable lockdown mode. If the DCUI service is stopped, you must reinstall ESXi.

Lockdown Mode Services for Different Users

The following table shows the services that are are available to different types of users when the host is running in lockdown mode and in normal mode. As a rule, changes can be made only through vCenter Server. The root user can make changes from the Direct Console Interface, but not from the ESXi Shell or through an SSH session.

Table 1. Lockdown Mode Behavior

Service

Normal Mode

Lockdown Mode

vSphere WebServices API

All users, based on ESXi permissions

vCenter only (vpxuser)

CIM Providers

Root users and users with Admin role on the host

vCenter only (ticket)

Direct Console UI (DCUI)

Root users and users with Admin role on the host

Root users

ESXi Shell

Root users and users with Admin role on the host

No users

SSH

Root users and users with Admin role on the host

No users