You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list. You can specify a single user who can access the ESXi host in case of catastrophic vCenter Server failure.
The vSphere version determines what different accounts can do by default when lockdown mode is enabled, and how you can change the default behavior.
- In vSphere 5.0 and earlier, only the root user can log in to the Direct Console User Interface on an ESXi host that is in lockdown mode.
-
In vSphere 5.1 and later, you can add a user to the DCUI.Access advanced system setting for each host. The option is meant for catastrophic failure of vCenter Server. Companies usually lock the password for the user with this access into a safe. A user in the DCUI.Access list does not need to have full administrative privileges on the host.
- In vSphere 6.0 and later, the DCUI.Access advanced system setting is still supported. In addition, vSphere 6.0 and later supports an Exception User list, which is for service accounts that have to log in to the host directly. Accounts with administrator privileges that are on the Exception Users list can log in to the ESXi Shell. In addition, those users can log in to a host's DCUI in normal lockdown mode and can exit lockdown mode.
You specify Exception Users from the vSphere Web Client.Note: Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. Users that are members of an Active Directory group lose their permissions when the host is in lockdown mode.