Several ESXi advanced settings have default values that are not secure by default. The AD group "ESX Admins"
is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.
This article relates to all versions prior to ESXi 8.0 U3.
This issue is fixed in ESXi 8.0 U3.
To workaround the issue, change the following ESXi advanced options:
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd
from true
to false
Config.HostAgent.plugins.vimsvc.authValidateInterval
from 1440
to 90