Manage users to control who is authorized to log in to ESXi.

Users and roles control who has access to the ESXi host components and what actions each user can perform.

In vSphere 5.1 and later, ESXi user management has the following caveats .
  • The users created when you connect directly to an ESXi host are not the same as the vCenter Server users. When the host is managed by vCenter Server, vCenter Server ignores users created directly on the host.
  • You cannot create ESXi users by using the vSphere Client. You must log in to the host directly with the VMware Host Client to create ESXi users .

  • ESXi 5.1 and later does not support local groups. However, Active Directory groups are supported.

To prevent anonymous users, such as root, from accessing the host with the Direct Console User Interface (DCUI) or ESXi Shell, remove the user's administrator privileges on the root folder of the host. This applies to both local users and Active Directory users and groups.

Add an ESXi User in the VMware Host Client

Adding a user to the users table updates the internal user list that the host maintains.

Prerequisites

For information about password requirements, see Configure the Passwords and Account Lockout Policy in the VMware Host Client or the vSphere Security documentation.

Procedure

  1. Log in to ESXi with the VMware Host Client.
    You cannot create ESXi users with the vSphere Client. To create ESXi users, you must directly log in to the host with the VMware Host Client.
  2. Click Manage in the VMware Host Client inventory and click Security & Users.
  3. Click Users.
  4. Click Add user.
  5. Enter a user name, and a password.
    Note: Do not create a user named ALL. Privileges associated with the name ALL might not be available to all users in some situations. For example, if a user named ALL has Administrator privileges, a user with the ReadOnly privileges might be able to log in to the host remotely. This is not the intended behavior.
    • Do not include any spaces in the user name.
    • Do not include any non-ASCII characters in the user name.
    • Create a password that meets the length and complexity requirements. The host checks for password compliance using the default authentication plug-in, pam_passwdqc.so. If the password is not compliant, an error message indicates password requirements.
  6. To activate the local access to the ESXi Shell, select the Enable Shell Access check box.
  7. Click Add.

Update an ESXi User in the VMware Host Client

You can change the description and password for an ESXi user in the VMware Host Client.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Users.
  3. Select a user from the list and click Edit user.
  4. Update the user details and click Save.

Remove a Local ESXi User from a Host in the VMware Host Client

You can remove a local ESXi user from the host.

Caution: Do not remove the root user.
If you remove a user from the host, they lose permissions to all objects on the host and cannot log in again.
Note: Users who are logged in and are removed from the domain keep their host permissions until you restart the host.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Security & Users.
  2. Click Users.
  3. Select the user that you want to remove from the list, click Remove user, and click Yes.
    Do not remove the root user for any reason.