Change ESXi default account access

ESXi permissions management has a local RBAC model, with some predefined local system roles, such as the following:

• Administrator role: With all privileges, like the administrator role in vCenter.
• Read-only role: Allows for viewing objects associated with ESXi host, but not making any changes, like the read-only role in vCenter.
• No access role: No privileges at all, like the no access role in vCenter. This is the default role for new users.

As with vCenter permissions, it's possible to define new custom roles.

ESXi roles and local users can be managed through the Host UI interface; both are located in the Security & users tab, in the Host | Manage menu:

You can find local user management in the Users menu, and local role management in the Roles menu.

Local permissions can be managed via the Host | Action button, in the Permissions menu:

On each ESXi, there are some default local users:

• Root user: This is a built-in user with the administrator role. You can remove or change the role of the root user, but be sure to first add another user with the administrator role. Note that this is the only built-in user that is reported in the ESXi user management interface, but there are also other users.
• vpxuser user: This user is used by vCenter to manage ESXi hosts, after they have been connected. Note that this user also has an administrative role. This user must be managed by the vCenter Server; don't change it in any way (such as changing its password or permissions).
• dcui user: The primary purpose of this user is to configure hosts for lockdown mode, from the Direct Console User Interface (DCUI).

For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-2215AADC-D4CD-49DD-AF92-65BED243D851.html).

The next section will describe how to add an ESXi to an AD domain, in order to use external users and groups.