This article provides steps to reset the root password if you have lost or forgotten the existing root password without reboot / 6.7u1 / 7.x / 8.x

• For versions prior to VCSA 6.7 Update 1, see Resetting root password in vCenter Server Appliance 6.5 to 6.7 U1.

• Logging in to the root account of vCenter Server Appliance (VCSA) fails.
• The root account of the vCenter Server Appliance 6.7 U1 and later is locked or account is expired.
• Forgot the root password.
• The root account password has been lost or forgotten
• You are unable to login to vCenter

Note: The above symptoms can also occur on an external Platform Services Controller (PSC) running on vSphere 6.5 and 6.7.

• VMware vCenter Server 7.x
• VMware vCenter Server 8.x
• VMware vCenter Server Appliance 6.x

• With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.
• For passwords that have expired, the default vCenter Server Appliance password expires after 90 days. For more information, see Change the Password and Password Expiration Settings of the Root User.

The resolution has two sections for the problem that we usually encounter:

1. Steps to reset the Root Password in VCSA.
2. Steps to follow if you have forgotten the Root Password.

1. Steps to reset the Root Password in VCSA:

   1. Connect SSH to VCSA and login using administrator@vsphere.local where vsphere.local is your default SSO Domain. ​​​​​
      
      • If disabled, enable SSH using the VAMI ( https://<vcenter_fqdn>:5480 ).
      • Can login as administrator@vphere.local or any other member of the SSO administrators group.
      • Enable or Disable SSH and Bash Shell Access.
   2. If first time logging in, enable shell then enter shell.
      

      shell.set --enable true
      shell

      

   3. Once in shell as sso-user, run the below command to change to root shell.
      

      sudo -i

   4. Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password.
      

      pam_tally2 --user=root --reset

      
      
      For 8.0 U2 onwards:
      

      /usr/sbin/faillock --user root --reset

       Note: pam_tally2 is deprecated in Photon 4, use faillock instead

   5. Then once in root shell, run passwd to change the root password.
      

      passwd

   6. Confirm that you can access the vCenter Server Appliance using the new root password.

2. Steps to follow if you have forgotten the Root Password:

   1. Follow Steps 1 and 2 from Section a.
   2. Then continue by running the following steps: 
      1. Run the following command to change the root password.
         

         sudo passwd root

         

      2. Confirm that you can access the vCenter Server Appliance using the new root password.

You could set the Root password to never expire in order to prevent this issue by running command:

chage -I -1 -m 0 -M 99999 -E -1 root  or at the VAMI  ( https://<vcenter_fqdn>:5480)

Note: If you continue to have issues, see Unable to log in to the vCenter Server Appliance shell using root account even after password reset

For 7.0U1 and 6.7U3j there are a few changes:

1. The Root user will be prompted for resetting the password when they try to SSH to the machine if expired or expiring.
2. You can also login to VAMI using the SSO administrator and reset the root password from there.
3. Email notification is sent earlier to prevent from having the Root password expired.
4. An alarm will be triggered in vsphere-ui to notify the user about the password expiry.

Changes in 8.0 U2 and above versions:
You will get below error while executing pam_tally2 in 8.0 U2 or above versions, as this utility was deprecated in Photon 4 and 8.0 U2 is using Photon 4 version. The alternate utility on Photon 4 is "/usr/sbin/faillock" to unlock the accounts.

"-bash: pam_tally2: command not found"

For more information, see:

• VMware Skyline Health Diagnostics for vSphere - FAQ
• Unable to log in to the vCenter Server Appliance shell using root account even after password reset
• Error "Appliance (OS) root password is expired " while upgrading vCenter Server Appliance 6.5 or 6.7
• Change the Password and Password Expiration Settings of the Root User

You can update the password of the root user in the vCenter Server via appliance shell  if account is not locked

• localaccounts.user.password.update --username root --password
  
  
• Enter and confirm the new password when prompted.

More information: Managing Local User Accounts in vCenter Server.