When attempting to enable lockdown mode on an ESXi host, lockdown mode does not enable and an error message is received.

If attempting to enable lockdown mode on an ESXi host within vCenter, you may receive the below error.

'Internal Error Occurred' 

If attempting to enable lockdown mode on an ESXi host within the ESXi CLI, you may receive the below error. 

"reason = "Internal error"

msg = "Received SOAP response fault from [<<io_obj, h:5, <TCP '127.0.0.1'>, <TCP '127.0.0.1'>>, /sdk>]: changeLockdownMode
A general system error occurred: Internal error"

VMware vSphere ESXi 7.x

VMware vSphere ESXi 8.x

This issue is caused by an orphaned domain group on the ESXi host. 

To resolve this issue, create a new local group with the same name as the orphaned group, leave the domain and remove the local group. 

1. Login to your ESXi host via SSH as root. 
2. Attempt to leave the domain from the ESXi host.
   1. Click Manage in the VMware Host Client inventory and click Security & Users.
   2. Click Authentication and click Leave Domain.
   3. Copy the entire error message (we will need this for the next steps). 
3. Within the SSH session, create a local group with exactly the same name as the orphaned group (case sensitive) and type EXACTLY what shows up in the error message when you attempt to leave the domain using using the VMware Host Client: /usr/lib/vmware/busybox/bin/busybox addgroup 'DOMAIN\group^name'
4. Leave the domain using VMware Host Client. 
   1. Click Manage in the VMware Host Client inventory and click Security & Users.
   2. Click Authentication and click Leave Domain.
5. Within the SSH session, remove the local group: /usr/lib/vmware/busybox/bin/busybox delgroup 'DOMAIN\group^name'
6. Rejoin the domain if desired. 
7. Attempt to enable lockdown mode on the host.