Secure Default Settings for ESXi Active Directory integration
search cancel

Secure Default Settings for ESXi Active Directory integration

book

Article ID: 369707

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi 7.0

Issue/Introduction

Several ESXi advanced settings have default values that are not secure by default. The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain.

Environment

This article relates to all versions prior to ESXi 8.0 U3.

Resolution

This issue is fixed in ESXi 8.0 U3.

To workaround the issue, change the following ESXi advanced options:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
  • Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to "" 

If the ESXi host was already joined to Active Directory before the workaround was applied, then remove the Admin permission for the AD group ("ESX Admins" by default) if it exists. This can be done through the Host Client UI or with the following esxcli command:

 esxcli system permission unset -i 'DOMAIN\esx^admins' --group

The above step should be done after the workaround is applied.

All currently assigned VIM permissions can be validated through the Host Client UI or the below esxcli command: 

esxcli system permission list

Note: The ESX Admins group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings before joining the domain. These settings take effect within a minute. A reboot is not required.

Additional Information

6/28/2024 - Added Config.HostAgent.plugins.hostsvc.esxAdminsGroup and note.

8/12/2024 - Added steps required for ESXi hosts already joined to the AD domain.