This article provides instructions on how to reset the vcf and root user accounts for SDDC manager.

1. Login to the vCenter/vSphere UI and find the SDDC Manager VM.
2. Click on the SDDC Manager VM, under the IP address should be the host FQDN for which ESXi the VM is sitting on.
3. Open a new tab and paste the ESXi host FQDN into a browser and login to the host UI via root. 
4. Click on Virtual Machines, then click on the SDDC Manager VM > Edit > VM Options > Boot Options
5. Set the Boot Delay to 10000 milliseconds.
6. Open the VM console and On the right-hand side of the console is a button that says Actions. Click on Actions > Power > Reset.
7. At the Photon screen, hit the 'e' key to get into the GRUB.
   • 
8. Use the arrow keys to navigate to the line beginning with linux and add the following to the end of the line:
   
   rw init=/bin/bash
   
   
9. Press the F10 key to continue booting the VM. 
10. Run the following commands to unlock the vcf and root accounts:
    • For VCF versions 4.3.0.0 up till 5.0.0.1, use:
    •  
    • 
      
      /usr/sbin/pam_tally2 -u root -r
/usr/sbin/pam_tally2 -u vcf -r
      
      
    • For VCF versions starting from VCF 5.1.0.0, use:
      
      /usr/sbin/faillock --user root --reset
/usr/sbin/faillock --user vcf --reset
      
      
    • Note: If there are any failures, use the up arrow key to re-run the command until the failures column shows 0.
    • 
11. Run the following commands to set the accounts to a temporary password: 
    
    passwd vcf
passwd root
    
    
12. Then reboot SDDC by running the following: 
    
    reboot -f
    
    
13. After a few minutes, SSH into the SDDC Manager with the vcf user and temp password and then su root and enter the temp password for root. 
14. Then run the following command to clear the passwords:
    
    echo "" >/etc/security/opasswd
    
    
15. Now reset the accounts to new passwords or a password previously used by using commands mentioned in Step 11. Note: Make a note of what the vcf and root passwords were changed to.
16. Here is the below command to change the age of the VCF and Root:

VCF: chage -M 999 vcf
Root: chage -M 999 root

   17. Make sure that the vCenter's root password is not set to 'never expire' or '-1': 'chage -l root' (or check the password status within the vCenter's VAMI page).

         Root: chage -M 999 root

--------------------

Sometimes we might get additional error when implementing point 13, even when pw was changed in previous steps (below example for root):

vcf@vcenter01 [ ~ ]$ su root
Password:
Your account has expired; please contact your system administrator.
su: User account has expired

Even though you changed the password in the console, the system still "remembers" that the account was expired. When you see su: User account has expired, it means the OS is blocking the login based on the account's aging policy before it even checks if your password is correct.

You'll need to go back into that GRUB / bash shell one more time to force the account to be "unexpired."

The Fix (Back in the Bash Shell)

Reboot into the bash shell (Step 8/9 of the KB) and run these specific commands to clear the expiration flags:

1. Force the account to "never" expire (temporarily): This resets the timers that are currently blocking your login.

chage -I -1 -m 0 -M 99999 -E -1 root

2. Ensure the account isn't locked from the "Authentication failure" shown in your screenshot:

• For VCF 5.1+: faillock --user root --reset

• For VCF 4.x - 5.0: pam_tally2 -u root -r

3. Verify the status: Run this command and look at the "Password expires" line. It should no longer show a date in the past.

chage -l root

4. Final Reboot:

reboot -f

How to reset the VRM, SDDC Manager Controller, SDDC Manager Utility, VIA or Cloud Builder root user password