Several ESXi advanced settings have default values that are not secure by default. The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.

This article relates to all versions prior to ESXi 8.0 U3.

This issue is fixed in ESXi 8.0 U3.

To workaround the issue, change the following ESXi advanced options:

• Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
• Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90