Secure Default Settings for ESXi Active Directory integration
search cancel

Secure Default Settings for ESXi Active Directory integration

book

Article ID: 369707

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi 7.0

Issue/Introduction

Several ESXi advanced settings have default values that are not secure by default.

The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.

Checking for the presence of the group using following command esxcli system permission list gives the result:
[root@esxifqdn:~] esxcli system permission list
Principal      Is Group  Role   Role Description
-------------  --------  -----  ----------------
yourdomain\esx^admins      true  Admin  Full access rights
cloudadmin        false  Admin  Full access rights
dcui              false  Admin  Full access rights
root              false  Admin  Full access rights
vpxuser           false  Admin  Full access rights

Environment

This article relates to all versions prior to ESXi 8.0 U3.

Resolution

This issue is fixed in ESXi 8.0 U3.

To workaround the issue, change the following ESXi advanced options:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
  • Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to "" 

If the ESXi host was already joined to Active Directory before the workaround was applied, then remove the Admin permission for the AD group ("ESX Admins" by default) if it exists. This can be done through the Host Client UI or with the following esxcli command:

 esxcli system permission unset -i 'yourdomain\esx^admins' --group

The above step should be done after the workaround is applied.

All currently assigned VIM permissions can be validated through the Host Client UI or the below esxcli command: 

esxcli system permission list

Note: The ESX Admins group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings before joining the domain. These settings take effect within a minute. A reboot is not required.

Additional Information

6/28/2024 - Added Config.HostAgent.plugins.hostsvc.esxAdminsGroup and note.

8/12/2024 - Added steps required for ESXi hosts already joined to the AD domain.