ESXi Default Local User Introduction

　 Nfsnobody Users

The user can proxy the authentication account for NFS storage when needed, and on the old version of Esx and ESXi, the account is named Vimuser

The current ESXi platform is much smaller than previous versions of ESX and ESXI programs, root group includes root user, daemon organization includes daemon users, users and Nfsnobody user groups default to empty

In addition to the Nfsnobody account, the other default accounts are ESXi required accounts and new users are not required to add them. Daemon Users

The daemon account is an ESXi service daemon account, which is non-interactive. Root User

The Root user is the user with the highest system privileges and can only perform operations on the specific host on which they are logged on.

For security reasons, you may not want to use the root user as the Administrator role. In this case, you can change the permissions after installation so that the root user no longer has administrative privileges. Alternatively, you can remove the root user's access rights. (Do not remove the root user itself.) ）

Important issues

If you want to remove access from the root user, you must first create another permission at the root level to assign the Administrator role to another user.

In VSphere 5.1, only root users are allowed to add hosts to the VCenter Server, and other users with administrator privileges do not have this permission. Assigning an administrator role to another user helps to maintain security through traceability. VSphere Client logs all actions initiated by the Administrator role user as events and provides you with audit records. If all administrators log on to the host as the root user, you cannot tell which administrator performed an operation. If multiple permissions are created at the root level, and each permission is associated with a different user, the actions of each administrator can be tracked. Vpxuser Users

When VCenter Server manages host activity, it uses Vpxuser permissions.

When ESXi hosts connect to Vcenter, the ESXi host creates a very important vpxuser user. VCenter Server has administrator privileges on the hosts it manages. For example, VCenter Server can move the virtual machine to and from the host and perform the configuration changes necessary to support the virtual machine.

VCenter Server administrators can perform most tasks on the host that can be performed by Root users, dispatch tasks and process templates, and so on. However, VCenter Server administrators cannot create, delete, or edit users and groups directly for the host. These tasks can only be performed by users with administrator privileges directly on each host.

To improve the security of your ESXi host, you can put it in lockdown mode.

When lockdown mode is enabled, no user other than Vpxuser has authentication rights and cannot perform actions directly on the host. Lockdown mode forces all operations to be performed through VCenter Server. When the host is in lockdown mode, you cannot run VSphere CLI commands against the host from the Management Server, script, or VMA. External software or administrative tools may not be able to retrieve or modify information from ESXi hosts.

Password Policy

When a host is added to the vcenter server manifest, vcenter Server creates a special user account called Vpxuser on that host. Vpxuser is a privileged account that acts as a proxy for all operations initiated through VCenter Server. Make sure that the default settings for the Vpxuser password meet the requirements of your organization's password policy.

By default, VCenter Server uses the OpenSSL password library as a random source to generate a new Vpxuser password every 30 days. The password is 32 characters long and must contain at least one symbol that belongs to the following four character categories: Symbols (-./:=@[]^_{}~), Numbers (1-9), uppercase letters, and lowercase letters. Ensure that the password is regularly expired to limit the length of time that can be used by an attacker when the Vpxuser password is affected.

To prevent the possibility of vCenter Server being locked out of the ESXi host, the password aging policy must be limited to a time interval that is set to automatically change the vpxuser password.

Steps

1 To change the password length policy, edit the vcenter server configuration file on the system running Vcenter server

The Vpxd.hostpasswordlength parameter.

Operating system default location

Windows c:documents and Settingsall usersapplication datavmware

Virtualcentervpxd.cfg

Linux/etc/vmware-vpx/vpxd.cfg

2 To change your password aging requirements, use the Advanced Settings dialog box in VSphere Web Client.

A in the VSphere Web Client manifest, browse to the VCenter Server system.

b Click the Administration tab and then settings.

C Select Advanced Settings, and then locate the Virtualcenter.vimpasswordexpirationindays parameter.

3 Restart VCenter Server.

Attention

You cannot use Active Directory to manage Vpxuser.

Do not change vpxuser in any way. Do not change their password. Do not change its permissions. If changes are made, problems may occur when processing the host through VCenter server. Dcui Users

Direct Console user interface (DCUI) directly console users Interface.

Dcui the user to operate on the host with administrator privileges. The primary purpose of this user is to configure the lock mode host from the direct console user interface (DCUI).

This user will act as a proxy for the direct console and cannot be modified or used by an interactive user.

Note: