Using the ESX Admins AD group on ESXi: domain membership and user authentication
search cancel

Using the ESX Admins AD group on ESXi: domain membership and user authentication

book

Article ID: 316499

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information on using the ESX Admins AD group and describes alternate methods of granting AD users/groups access to the ESXi hosts.

Symptoms:

  • After successfully joining an ESXi host to an Active Directory (AD) domain, the following log message spews in the /var/log/messages or /var/log/syslog.log file on the ESXi host:

    nssquery: Group lookup failed for 'AD Domain Name\ESX Admins 

  • In /var/log/hostd.log file:
[25CC6B90 warning 'UserDirectory'] Group lookup failed for 'AD_Domain_Name\ESX Admins'
  • The ESX Admins group does not exist in the AD domain.
  • If the ESX Admins group exists in the AD domain, joining an ESXi host to an Active Directory domain grants it the AD Domain Name\esx admins Administrator role.
  • Removing the Administrator role from the group is initially successful, but restarting the ESXi host grants the Administrative role again to the group.



Environment

VMware vSphere ESXi

Cause

If the AD group that is configured for Administrator for ESXi hosts is not named ESX Admins, and an ESX Admins group doesn't exist in the AD, this error message will appear.

Resolution

By default, an ESXi host joined to an AD domain queries the domain for the ESX Admins group, and this behavior is not configurable. If the group exists in AD, it is granted the Administrator role on the host, and any user accounts in that group receive full administrative privileges on the host and can log in to the host through SSH.

If this behavior is desirable, create the ESX Admins group in the AD domain and populate it with user accounts or groups to which administrative access to the hosts should be granted. Also, additional AD user accounts, and groups can be granted with appropriate access to hosts.

If granting the Administrator role to user accounts or groups in the ESX Admins group is not desirable, try one of these options.

  • Remove or do not create an ESX Admins group in AD. Grant other AD accounts/groups with appropriate roles. However, the log messages may continue to spew in the /var/log/messages or /var/log/syslog.log file on the ESXi hosts.
     
  • Change the role assigned to the ESX Admins group from Administrator to No Access. Grant other AD accounts/groups the appropriate roles. In this case, any user accounts in the ESX Admins group cannot access the ESXi host. Also, ensure that any users that need access (administrative or otherwise) to the host are removed from the ESX Admins group.
     
  • Assign the Administrator role to the ESX Admins group, but ensure there are no user accounts or groups in this group. Grant other AD accounts/groups the appropriate roles. This requires the least administrative effort, but ensure that user accounts or groups are not added to the ESX Admins group later.


Workaround
Change the default esxAdminsGroup from ESX Admins to the domain group that are the administrators:

  1. Navigate to the ESXi host in the vCenter vSphere Client (HTML5)
  2. Click the Configuration tab and click Advanced Settings
  3. Navigate to Config > HostAgent
  4. Change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting to match the Administrator group that will be in use in the Active Directory. These settings take effect within a minute, and no reboot is required.



Additional Information

Impact/Risks
No functional impacts to ESXi operations.