Secure Default Settings for ESXi Active Directory integration
Article ID: 369707
Updated On:
Products
Issue/Introduction
Several ESXi advanced settings have default values that are not secure by default.
The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.
[root@esxifqdn:~] esxcli system permission list
Principal Is Group Role Role Description
------------- -------- ----- ----------------
yourdomain\esx^admins true Admin Full access rights
cloudadmin false Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
Environment
This article relates to all versions prior to ESXi 8.0 U3.
Resolution
This issue is fixed in ESXi 8.0 U3.
To workaround the issue, change the following ESXi advanced options:
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAddfromtruetofalseConfig.HostAgent.plugins.vimsvc.authValidateIntervalfrom1440to90Config.HostAgent.plugins.hostsvc.esxAdminsGroupfrom "ESX Admins" to ""
If the ESXi host was already joined to Active Directory before the workaround was applied, then remove the Admin permission for the AD group ("ESX Admins" by default) if it exists. This can be done through the Host Client UI or with the following esxcli command:
esxcli system permission unset -i 'yourdomain\esx^admins' --groupThe above step should be done after the workaround is applied.
All currently assigned VIM permissions can be validated through the Host Client UI or the below esxcli command:
esxcli system permission listNote: The ESX Admins group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings before joining the domain. These settings take effect within a minute. A reboot is not required.
Additional Information
6/28/2024 - Added Config.HostAgent.plugins.hostsvc.esxAdminsGroup and note.
8/12/2024 - Added steps required for ESXi hosts already joined to the AD domain.
Feedback
