• The ESXi host cannot be removed from the Active Directory (AD) domain.
• Lockdown mode cannot be enabled on the ESXi host.
• Permissions cannot be removed from the ESXi host.
• When attempting to manage or remove the user/group "EXAMPLE\esx^admins" in the Host UI or via the command line, the error "vim.fault.UserNotFound" or "The user or group named 'EXAMPLE\esx^admins' does not exist" is encountered.
• esxcli system permission unset --group -i 'example\esx^admins'

It fails with the following error message: The user or group named 'example\esx^admins' does not exist

• Similar errors are found in the /var/run/log/hostd.log

yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Vimsvc.TaskManager opID=cf748e7d user=root] Task Completed : haTask-ha-host-vim.host.HostAccessManager.changeAccessMode-1180481544 Status error
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Activation finished; <<52e48cb7-a48d-c4c6-a362-77e20d377c99, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 50890'>>, ha-host-access-manager, vim.host.HostAccessManager.changeAccessMode>
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg principal:
--> "example\esx^admins"
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg isGroup:
--> false
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg accessMode:
--> "accessNone"
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Throw vim.fault.UserNotFound
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Result:
--> (vim.fault.UserNotFound) {
-->    principal = "example\esx^admins",
-->    unresolved = false,
-->    msg = "",
--> }

A user or group has been removed from the ESXi host but the associated permissions were not removed correctly.

To remove the stale permissions, use any of the below provided Resolutions:

Resolution 1:

1. SSH to the ESXi host via the root user

2. Add a temp account for "esx^admins" : /usr/lib/vmware/busybox/bin/busybox addgroup example\esx^admins

3. Remove the "esx^admins" permission : esxcli system permission unset --group -i "example\esx^admins"

4. Remove the temp account for "esx^admins" : /usr/lib/vmware/busybox/bin/busybox delgroup example\esx^admins

Resolution 2:

The entry needs to be removed from the configstore DB.

1. SSH to the ESXi host via the root user

2. Verify the user or group entry is in the configstore DB: /usr/lib/vmware/sqlite/bin/sqlite3 /etc/vmware/configstore/current-store-1 "select * from Config where Component='esx' and ConfigGroup='authorization' and UserValue like '%esx^admins%'"

Resolution 3:

Even after performing the above changes if the issue does not resolve.

Verify the domain connectivity on the ESXi host and perform rejoin the domain for the ESXi host

STEPS:

In host UI client - 

• Click Manage in the VMware Host Client inventory and click Security & Users
• Click Authentication 
• Disjoin the domain and Join back the AD

Note: Replace the pattern between the %s with a unique string contained in user/group name, being removed.  

Result example:

esx|authorization|permissions|a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6|2024-06-05 08:30:26|2023-07-11 17:57:08|1.3|1||{"cs_generated_id": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6", "principal": "EXAMPLE\\esx^admins", "is_group": true, "access_mode": "Admin"}||||13

3. Delete the entry : /usr/lib/vmware/sqlite/bin/sqlite3 /etc/vmware/configstore/current-store-1 "delete from Config where Component='esx' and ConfigGroup='authorization' and UserValue like '%esx^admins%'"

4. Repeat step 2 of Resolution 2 to verify that entry is no longer returned.

5. Restart the ESXi management agent to reflect the removal in the UI, using command: /etc/init.d/hostd restart

To read more about the ESX admins group and the use case for the group.

Configuring the ESXi host with Active Directory authentication