In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. It makes sense to add service accounts such as a backup agent to the Exception Users list.
Exception users do not lose their privileges when the host enters lockdown mode. Usually these accounts represent third-party solutions and external applications that need to continue to function in lockdown mode.
Exception users are host local users or Active Directory users with privileges defined locally for the
ESXi host. They are not members of an Active Directory group and are not
vCenter Server users. These users are allowed to perform operations on the host based on their privileges. That means, for example, that a read-only user cannot disable lockdown mode on a host.
Note: The Exception Users list is meant for service accounts that perform very specific tasks, and not for administrators. Adding administrator users to the Exception Users list defeats the purpose of lockdown mode.
Procedure
- Browse to the host in the vSphere Web Client inventory.
- Click Configure.
- Under System, select Security Profile.
- In the Lockdown Mode panel, click Edit.
- Click Exception Users and click the plus icon to add exception users.