NSX-T user accounts created on an ESXi host when NSX-T VIBs are installed
search cancel

NSX-T user accounts created on an ESXi host when NSX-T VIBs are installed

book

Article ID: 324186

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction


The following list of users are automatically created on an ESXi host when NSX-T VIBs are installed and therefore prepared as a transport node:

  • nsx-user: This user is used for nsx-opsagent to invoke VIM API calls to the hostd agent on the ESX specifically for Layer 2 configuration (create / update of hostswitch configuration, port configuration, etc). NSX logs may refer to this user in logs as nsxuser, please note it is referring to this user. 

  • da-user: This user is used to collect inventory of ESX (VMs, NICs, etc).

  • mux-user: This user is used for reading/writing into namespace db. For that purpose, permission to Host.Local.ReconfigVM is provided for the user.

  • lldpVim-user: This user is utilized by the LLDP application within the nsx-opsagent to retrieve LLDP neighbor information from hostd. The user is automatically created on an ESXi host when the nsx-opsagent service is started and is removed when the service is stopped. 

You can see the user details by running esxcli system account list command from the ESXi command line. 

[root@esx-01:/var/log] esxcli system account list
User ID       Description                                Shell access
------------  -----------------------------------------  ------------
root          Administrator                                      true
dcui          DCUI User                                          true
vpxuser       VMware Workstation administration account          true
mux_user      ESXi User                                          true
da-user       ESXi User                                          true
nsx-user      ESXi User                                          true
lldpVim-user  ESXi User                                          true

ESXi Lockdown Mode Behavior:

By default, the nsx-user, da-user, and mux-user accounts are included in the lockdown mode exception users list. This can be verified in vCenter by navigating to: Host > Configure > Security Profile > Lockdown Mode.

The lldpVim-user user account is added to the lockdown mode exception users list only when lockdown mode is enabled and the ESXi host is subsequently rebooted. The user gets removed from the exception users list once the lockdown mode is disabled and the host is rebooted. 


User Password:

The password generation for all these users is as per the password policy required by ESX:

A valid password should be a mix of upper and lower case letters, digits, and other characters. The password can include characters from 4 character classes (upper case, lower case, digits, special chars). And the password length should be 40 characters.


The password is generated based on the above guidelines during user creation when the corresponding agent starts up and is never stored anywhere.
There isn't an option today to manually manage these passwords.

Environment

VMware NSX-T Data Center

Resolution

Not Applicable -This is informational KB.

 

Additional Information

Service user/account deletion is not advisable to delete As long as NSX is installed on the ESXi host.

Powered by Wolken Software