With vSphere 6.0 and later, you can add users to the exception users list by using the VMware Host Client. These users do not lose their permissions when the host enters lockdown mode. You can add service accounts, such as a backup agent to the exception users list.

Exception users are host local users or Active Directory users with privileges defined locally for the ESXi host. They are not members of an Active Directory group and are not vCenter Server users. These users are allowed to perform operations on the host based on their privileges. That means, for example, that a read-only user cannot disable lockdown mode on a host.
Note: The exception users list is useful for service accounts that perform specific tasks, such as host backups, and not for administrators. Adding administrator users to the exception users list defeats the purpose of lockdown mode.


  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Lockdown mode.
  3. Click Add user exception, enter the name of the user, and click Add exception.
  4. (Optional) Select a name from the exception users list, click Remove user exception, and click Confirm.