Symptoms:

• The root account password of VMware vCenter Server Appliance fails
• The root account of the vCenter Server Appliance 6.5 and above is locked or account is expired
• The root account password has been lost or forgotten
• You are unable to login to vCenter

• VMware vCenter Server 7.0.x
• VMware vCenter Server Appliance 6.7.x
• VMware vCenter Server Appliance 6.5.x
• VMware vCenter Server 8.0.x

For passwords that have expired, the default vCenter Server Appliance password expires after 90 days.

For more information, see Change the Password and Password Expiration Settings of the Root User

Process to Reset the Root Password in VCSA:

Note: 6.7U1 and later have a simpler method to reset the password, see KB 75174

To reset the root password for the vCenter Server Appliance:

1. Take a snapshot or backup of the vCenter Server Appliance before proceeding.

2. Reboot the vCenter Server Appliance.
3. After the VCSA Photon OS starts, press the e key to enter the GNU GRUB Edit Menu.
4. Locate the line that begins with the word Linux.
5. Append these entries to the end of the line -
   rw init=/bin/bash
   
   The line should look like the following screenshot:
   
   
    
6. Press F10 to continue booting.
7. Run the command -

8. Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password.

9. In the Command prompt, enter the command passwd and provide a new root password (twice for confirmation):

10. Unmount the filesystem by running this command (yes, the unmount command is umount  -  it's not a spelling error):

11. Reboot the vCenter Server Appliance by running this command:

12. Confirm that you can access the vCenter Server Appliance using the new root password.
13. Remove the snapshot taken in Step 1 if applicable.
14. You could set the Root password to never expire in order to prevent this issue by running command:       
     # chage -I -1 -m 0 -M 99999 -E -1 root  or at the VAMI  ( https://<vcenter_fqdn>:5480)

Note: If you continue to have issues, see KB 50113586

For 7.0U1 and 6.7U3j there are a few changes:

1. The Root user will be prompted to reset the password when they try to SSH to the machine if expired or expiring.
2. You can also log in to VAMI using the SSO administrator and reset the root password from there.
3. Email notification is sent earlier to prevent from having the Root password expired.
4. An alarm will be triggered in vsphere-ui to notify the user about the password expiry.

Changes in 8.0 U2 and above versions:

• You will get the below error while executing pam_tally2 in 8.0 U2 or above versions, as this utility was deprecated in Photon 4 and 8.0 U2 is using Photon 4 version.
• The alternate utility on Photon 4 is "/usr/sbin/faillock" to unlock the accounts.
• "-bash: pam_tally2: command not found"

For more information, see -

• VMware Skyline Health Diagnostics for vSphere - FAQ
• Resolution: appliance (os) root password is expired or is going to expire soon
• Unable to log in to the vCenter Server Appliance shell using root account even after password reset
• Appliance (OS) root password is expired or is going to expire soon" attempting to upgrade vCenter Server Appliance
• Change the Password and Password Expiration Settings of the Root User

For translated versions of this article, see the below - 

• 失くしてしまったか忘れてしまった root パスワードを vCenter Server Appliance 6.5 でリセットする方法
• 如何在 vCenter Server Appliance 6.5 中重置丢失或忘记的 root 密码