Home > Blogs > VMware vSphere Blog


vSphere 5.1 – Full Admin Support for Named User Accounts

Nestled among the many new features and capabilities introduced with vSphere 5.1 are some nice security improvements to the ESXi Shell.  One of the more notable improvements is the ability to assign full admin privileges to named user accounts.  This means there is no longer a dependency on a shared “root” account when working from the ESXi Shell.

Versions of ESXi prior to 5.1 only allow for a single administrative account on the host, and this was of course the “root” user.  While it is possible to create named user accounts and to use these accounts to logon to the ESXi Shell and perform many operations, these users are not granted full administrative rights on the host.  As such these named users often need to “su” to root in order to perform privileged operations such as viewing logs, creating a log bundle for support, or running commands like esxtop or vmkfstools.  This presents some challenges in terms of both security and auditing.   Not only is there an inherent dependency on a shared root account, but key administrative actions performed on the host are logged as “root” making it difficult to audit individual user activity on the host.

With vSphere 5.1 there is no longer a dependency on a shared root account.  ESXi 5.1 now allows assigning full administration rights to named users.  With this, users can now logon to the ESXi shell using individual accounts without the need to “su” to root, and because there is no longer a dependency on a shared root account all actions performed on the host are logged under the named user rather than the shared “root” account.  Thus helping to better secure the host while at the same time improve logging and auditing.

The ability to assign full admin rights to named users helps improve host security and allows you to limit access to the root account.  A couple things to remember when it comes to creating named users on an ESXi host:

  1. You cannot create local ESXi users from the Web Client.  To create local users using the UI you need to use the vSphere client to connect directly to the ESXi host.
  2. You can also use Host Profiles to create local users and assign privileges.  This can be very beneficial if you have a lot of hosts and want to ensure a common set of local user accounts gets created on each.

As an alternative to creating local user accounts on each ESXi hosts I would encourage you to consider adding your hosts to Active Directory (AD) instead.  This not only enables users to use their existing AD credentials to manage ESXi hosts, but it also simplifies the configuration by eliminating the need to create and maintain local user accounts on each host.   I’ll be posting some more info on this so be sure to check back.

20 thoughts on “vSphere 5.1 – Full Admin Support for Named User Accounts

  1. Loren

    Great, thanks! Do you know if AD users can be granted full admin permissions to the console/ssh session, as well? Or is that only for local accounts?

    Reply
    1. Kyle GleedKyle Gleed Post author

      Yes, you need to create a group in active directory and set the host level attribute “plugins.hostsvc.EsxAdminGroups” to the name of this group. Once this is done any users added to this group in AD will get full admin rights on the host. By default it will use the group name “ESX Admins”. I’ll be posting more info on this next week.

      Reply
    2. Arunnk

      Yes it allows only if ESXAdminGroups attribute is assigned to the Group or individual user you are trying to allow permission to. it is suggested to provide permission to a group rather a single user, in avoiding manual jobs later. i have posted under, “http://verrors.blogspot.in/#!/2012/09/esxi-51-forget-su-to-root-full-admin.html”

      Reply
  2. Wasim Shaikh

    This is one of the feature that I thought of which should be implemented since v4. whenever I login via putty to make changes I had to su to get access to root.
    Thanks for the article.

    Reply
  3. Pingback: Welcome to vSphere-land! » vSphere 5.1 Link-O-Rama

  4. Pingback: Joining vSphere Hosts to Active Directory | VMware vSphere Blog - VMware Blogs

  5. Pingback: ESXi 5.1 Host Security Improvements

  6. Sergey

    Hi Kyle,

    Thank for this info. Could you please probably help then with following situation. In version prior to 5.1 the only possible way to give a read-only user tight to get CIM info was adding this user to ‘root’ group. This is described in this article:

    http://www.virtuallyghetto.com/2011/05/cim-monitoring-caveat-with-esxi.html

    With the new logic, is there a way to give user the same ability but hold him read-only and do not grant access to any actions on the host?

    Thank in advance!

    Reply
  7. Chandrakandh Mouleeswaran

    Can these users used for mounting NFS?

    From the guide “http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-51-storage-guide.pdf” ESXi does not support the delegate user functionality that enables access to NFS volumes using nonroot credentials”

    Reply
  8. Madge

    Howdy! I simply want to give you a big thumbs up for the great information you have got here on this post.
    I will be returning to your site for more soon.

    Reply
  9. Pingback: Grant shell access to this user? No worries mate! | VMware vSphere Blog - VMware Blogs

  10. Anandharaj

    can I use putty to connect ESXi 5.1 and use useradd -P . If not then please guide me how to create deprecated user account. Thanks

    Reply
  11. quickbooks cheques

    I have been browsing online greater than 3 hours as of late, but I by no means discovered any attention-grabbing article
    like yours. It’s beautiful value sufficient for me. In my view,
    if all web owners and bloggers made excellent content
    as you probably did, the internet will likely be much more useful than ever before.

    Reply
  12. Albert

    OK. I’ve been fiddling with this for a month and there seems to be a major discrepancy. While named user log-ins work for DCUI, I have been completely unable to get the exact same user on the exact same server(s) to be able to log in with SSH. Can we clarify if this really works for SSH? Eric Hammersley seemed to indicate that it wouldn’t work in his blog (agreeing with my test results), however, DISA and vmware support (Craig) seem to believe that this somehow works. In the post above, there is some discussion about getting the right permissions applied to users. I am using a non-vCenter configuration (vSphere Client) and am not connected to AD (OOB network) so some of the comments above don’t seem to apply. I’ve given the user(s) every available permission and it still doesn’t work. Suggestions?

    Reply
  13. youtube

    Nobody would wish to often be strolling without ability to hear any music simply because that would definitely be boring.
    Many thanks as we hoped for a longeterm business relationships.
    The application has over blown visualizations many times.
    Another innovative feature that people have thought about is instituting an RFID on the phone which would allow
    it to act like a car key or even a credit card.

    My web-site – youtube

    Reply
  14. dialog:close

    Thanks , I’ve recently been searching for information approximately this subject for a long
    time and yours is the greatest I’ve came upon so far.
    But, what in regards to the conclusion? Are
    you positive concerning the source?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>