Default local user for ESXi

Nfsnobody Users

The user can proxy the authentication account of NFS storage when needed, on the old version of Esx and ESXi, the account is named Vimuser

The current ESXi platform is much smaller than previous versions of ESX and ESXI programs, root group includes root user, daemon organization includes daemon users, users and nfsnobody user groups are null by default

In addition to the Nfsnobody account, the other default accounts are ESXi necessary accounts, the new users do not need to add.

Daemon Users

The daemon account is the ESXi service Guardian account, which is non-interactive.

Root user

The Root user is the user with the highest privileges on the system and can only perform operations on the specific host on which it is logged on.

For security reasons, you may not want to use the root user in the Administrator role. In this case, you can change the permissions after installation so that the root user no longer has administrative privileges. Alternatively, you can remove the root user's access rights. (Do not remove the root user itself.) ）

Important matters

If you want to remove the root user's access rights, you must first create another permission at the root level to assign the Administrator role to another user.

In Vsphere 5.1, only the root user is allowed to add a host to Vcenter Server, and no other user with administrator privileges has this permission. Assigning an administrator role to another user helps to maintain security through traceability. vsphere Client logs all actions initiated by the Administrator role user as events and provides you with an audit record. If all administrators log on to the host as root, you cannot tell which administrator performed the operation. If you create more than one permission at the root level, and each permission is associated with a different user, you can track the actions of each administrator.

Vpxuser Users

When Vcenter Server manages host activity, it uses Vpxuser permissions.

When the ESXi host connects to Vcenter, ESXi the main opportunity to create a very important vpxuser user. Vcenter Server has administrator privileges on the host it manages. For example, vcenter Server can move virtual machines to and from the host and perform the configuration changes necessary to support virtual machines.

The Vcenter Server administrator can perform most tasks on the host that can be performed by the Root user, and schedule tasks and process templates. However, vcenter Server administrators cannot create, delete, or edit users and groups directly for the host. These tasks can only be performed on each host directly by a user with administrator privileges.

To improve the security of the ESXi host, you can put it in lock mode.

When locking mode is enabled, no user other than Vpxuser has authentication permissions and cannot perform operations directly on the host. Locking mode forces all operations to be performed through the vcenter Server. When the host is in lockdown mode, you cannot run vsphere CLI commands against the host from the Management Server, script, or VMA. External software or administrative tools may not be able to retrieve or modify information from the ESXi host.