If your organisation is using VMware and you need to add various user accounts to vSphere, follow these steps to ensure you follow best practice.
One of the recommendations for managing vSphere is to add your ESXi hosts to Active Directory and authentication to the client by using an AD account.
VMware gives us some best practices for managing user accounts.
On an ESXi host, the root user account is the most powerful user account on the system. The user root can access all files and all commands. Securing this account is the most important step that you can take to secure an ESXi host.
Whenever possible, use the vSphere Client to log in to the vCenter Server system and manage your ESXi hosts. In some unusual circumstances, for example when the vCenter Server system is down, you use VMware Host Client to connect directly to the ESXi host.
Although you can log in to your ESXi host through the vSphere CLI or through vSphere ESXi Shell, these access methods should be reserved for troubleshooting or configuration that cannot be accomplished by using VMware Host Client.
If a host must be managed directly, avoid creating local users on the host. If possible, join the host to a Windows domain and log in with domain credentials instead.
To add an ESXi host to Active Directory, authenticate to your ESXi host via the host client and highlight Manage, select the Security& Users tab, then select Authentication, and then select Join Domain and fill in relevant information for your domain.
When we add the ESXi hosts to Active Directory, by default anyone who is a member of the AD group ESX Admins automatically have root privileges on ESXi hosts.
If we split AD and VMware into different IT departments, this could mean that our AD administrators could also manage our ESXi hosts by creating a group called ESX Admins and adding themselves to that group.
However, we can modify this functionality. We achieve this through the advanced configuration on an ESXi host:
Login to the vSphere Host Client and once authenticated, go to your ESXi host and highlight Manage, select Advanced settings and then search for admins.
You’ll be presented with three options and they are:
- Config.HostAgent.plugins.hostsvc.esxAdminsGroup
This option specifies the Active Directory group name that is automatically granted Administrator privileges on the ESXi host.
- Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd
This option controls whether the group specified by esxAdminsGroup is automatically granted administrator permission; values are True or False.
- Config.HostAgent.plugins.hostsvc.esxAdminsGroupUpdateInterval
This option specifies the interval between checks for whether the group specified by esxAdminsGroup has appeared in Active Directory; value is in minutes.
Now you've set up your organisation's users in a simple, secure way. For more technical tips and VMware blogs, or to see our large array of official VMware courses, click below.
Bryan O'Connor
Bryan has been working at QA as one of the principal virtualisation trainers for 13 years and counting, specialising in VMware, but also working with Microsoft Hyper-V, and multiple Cloud technologies.More articles by Bryan
Going Swiss: How VMware training can streamline your multi-cloud systems
Why organisations that want to maximise the ROI of their multi-cloud approach should be considering VMware training.
16 May 2023The benefits and challenges of a multi-cloud approach in 2023
Why multi-cloud in 2023? Bryan O'Connor returns to the subject to outline some of the opportunities, challenges and solutions available in a growing multi-cloud envi…
11 May 2023The 3 steps to becoming a VCP-DCV 2023
With the advent of VMware vSphere 8, VMware has released a new exam to demonstrate your skills with the product.
07 June 2023What is the benefit of getting VMware certification?
Why multi-cloud, what are the challenges and how can VMware help?
What is the difference between hybrid-cloud and multi-cloud? Why use multi-cloud for my organisation and what are the challenges? How can we benefit from VMware solu…
13 November 2020How to limit the number of VMware VM snapshots
In this technical blog, vExpert Bryan O'Connor explains why, and how, to limit the number of VMware snapshots for a virtual machine.
21 June 2021Free VMware resources
QA Senior Technical Instructor, Bryan O'Connor, outlines several free ebooks by VMware.
25 May 2021What is virtualisation?
Bryan O'Connor explains what a virtual machine is and what the benefits of virtualisation are for any organisation.
14 May 2021Basic virtualisation terminology
What is a hypervisor? What is vSphere vMotion? What is HA? Bryan O'Connor, our vExpert, decodes commonly used virtualisation terms.
18 June 2021VCTA: The new introduction certification from VMware
Bryan O'Connor introduces the new entry-level VMware certification, Certified Technical Associate (VCTA).
27 November 2020