By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server.

This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator.

Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server.

Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible.


If you remove the access privileges for the root user, you must first create another permission at the root level that has a different user assigned to the Administrator role.